What is a Cybersecurity Framework? What fields does it cover?
Common Framework Families
In our previous blog, we reviewed what is needed to secure your environment. The most important is a framework, which describes your information system’s guidelines, standards, policies, and best practices for risk management. Some of these controls are inherited by other individuals, such as the cloud or a governing body, may not be applicable (your system may not handle PII or PHI), or are unobtainable due to budget constraints. Here are some of the controls that your framework can go over:
Access Control / Identification and Authentication
This control is setting policies related to handling access to applications and information
This control is essential as this goes over who can and can’t get access to information. The best practice is to follow the concept of “least privilege”–meaning you only give access to people who need it. The risk of insider threats is real, and limiting access to someone who doesn’t have your organization’s best interests at heart can limit the impact that threat can have. In addition, these policies can also go into technical configurations such as lockout/password settings, 2FA, and account recovery.
Awareness and Training
This control covers your employees’ training on Cyber Attacks.
The end user will always be the most vulnerable part of your network, as, unfortunately, people are prone to manipulation or naivety. Usually, users should go over training on phishing, reporting suspicious co-workers who show signs of violence or gambling, handling PHI/PII, and social engineering. We at Cyber Shepherd suggest creating phishing simulations on users through email to detect who falls for it so they can be re-trained on any gaps in knowledge.
Audit and Accountability
This control goes over the logging and auditing of your systems.
It is best practice to log events that happen on your system. You should also set up a SIEM that collects information on all systems, applications, and cybersecurity tools to allow for heuristic analysis of your system and automatically notify SOC personnel of certain events via email or text.
Assessment, Authorization, and Monitoring
This control goes over the continuous monitoring of your system.
The policies are in place; however, are they being followed? Are they outdated due to new security trends, requirements, or Information System expansion? Are these policies effective? This control allows the Chief Information Security Officer (CISO) or Information Systems Security Manager (ISSM) to set policies on the frequency of re-evaluation of policy/implementation and how that is done.
Configuration Management / Maintenance
This control goes into detail on how to change settings, patch, and improve configuration on your servers.
Unfortunately, the world will never be able to get away from having to patch our servers or change settings on devices to prevent attacks. There will always be more vulnerabilities and changes in functionality to be added/removed to your information system. The controls in the Configuration Management family go over policy guidelines for making these changes. How are changes documented? Are changes approved by a board comprised of engineering/cybersecurity leads? Are changes tested and functional after tests? Are there maintenance windows (i.e., patching outside operation hours)? Are there backup solutions in place in case of an outage after configuring?
Contingency Planning
This control family allows the organization to set policies in case of several catastrophes.
Several bad things can happen to your information system. What happens if a hurricane hits your on-prem servers? If you have the budget for it, it may be best to have a cold/hot site with similar configurations to stand up or have servers in the cloud. What happens if an attacker performs a ransomware attack? Will you pay the attacker’s demands or accept that risk? Do you have insurance if things go wrong? Those are the types of things this family goes over.
Incident Response
This control goes into how to best respond to threats.
This control highly depends on the “Audit and Accountability” family above. Incident response is only as good as the information you collect, so collecting as much information as possible is essential. This family goes into how to best respond to an attack. How are you quarantining access? Is it automatic upon certain events triggering? How are you tracking incidents? What process are you going through for investigation? How are threats detected? Are you blacklisting specific IP addresses from hitting your system? This control family will answer those questions.
Media Protection
includes how files / hard drives are labeled, secured, and destroyed.
Do you encrypt your hard drives on laptops and external hard drives via Bitlocker/LUKS? What are the policies for exporting data from one information system to another? If data needs to be destroyed, how is it done (Shredding, Demagnetization, Drive Wipe)? Where are external hard drives stored? Is there a list of approved, whitelisted hard drives to prevent data exportation? You will use this family to help you define those policies.
Physical and Environmental Protection
How to protect the physical location of Information Systems
This family goes over protecting your information from humans and the environment. This family of frameworks gives you suggestions on server room temperature, how to secure your site best physically, and whether there is a manned guard 24/7 or a camera system that alerts you if there is movement? Do you log people coming in and out of the server rooms? Are the facilities and the doors locked? Does the building have fencing with barbed wire? Do you have surge protectors? Is there a generator in case of a power outage? This control family is usually not applicable for cloud servers as cloud providers already provide you with this service. Still, it is good to define if you have servers you manage locally.
Personnel Security
This control family helps set guidelines for hiring practices.
Insider threats are one of the more significant risks in cybersecurity, as bad actors can be hard to detect if other controls in this list are not correctly done. If you do not have proper auditing solutions and do not follow the principle of least privilege, one insider threat can ruin your company. That is why it is best to follow procedures to protect yourself. It is best for the person you bring on to have a security clearance, public trust, or background check. Also, it is a decent idea to have a method such as HR to track user complaints on a person if they show signs of violence, gambling issues, sudden flash of wealth, foreign ties, or ties to a competitor. All of the following are indicators that these individuals can become insider threats.
PII Processing and Transparency
Deals with the storing of PII/PHI
There are usually local and global laws on how to handle PII / PHI. These controls can help your company come up with policies on how to store data. How to notify individuals that data is being stored. If other companies have to come to your organization for information, are they trustworthy to use that data? Are there agreements in place to protect the individual’s data? In the EU, the primary law determining requirements is laid out in the General Data Protection Regulation (GDPR), and in the US, the primary law is the Health Insurance Portability and Accountability Act (HIPPA)
Risk Assessment
This family of controls goes into detecting risk from within your environment. Do you have tools to detect vulnerable software and settings? Do you have pen testers that might pick up things you cannot see? Do you have EDR tools to detect risks? All of these are important to see risks in your systems and remediate them as quickly as possible.
System and Services Acquisition / Supply Chain Risk Management—These control families guide the acquisition of systems and services.
This control is vital, as the last thing you want is to buy a service and not get anything back. Also, the last thing you want is to acquire goods without getting approval or, even worse, without funding.
Another mistake when acquiring systems is making sure your supply chain is trusted. It can be catastrophic to mistakenly buy a server from APTs such as Russia or China or independent hacker groups with pre-loaded Malware. Getting your services and goods from vetted and trusted companies is always the best practice.
System and Communications Protection
This control mainly focuses on securing the external side of the system.
Are devices exposed to the public internet held on a DMZ that is separated from other systems in the environment via a firewall? Do you have a cryptography solution to encrypt data from one server to another? Do you have load balancers to allow users to go to another server if one goes down and share that traffic equally? Do you have DDoS protection? Do you have an IPS that can blacklist malicious IPs? Do you have firewalls that only allow used IPs? Defining and implementing these concepts can help your organization lower external risks to your system from the internet.
System and Information Integrity
This control focuses on making sure your information system is not changed without your knowledge.
An excellent example of the importance of System and Information Integrity is an election. A disaster can occur if someone can go into an election system and change the number of votes of one candidate to allow them to win. While that can be seen as one of the most extreme scenarios, the concepts of that impact remain on other systems. The best way to protect yourself is by using hashing algorithms. Hashing allows the user to detect if there has been a change in a file by giving you a unique hash. For example, you download a file directly from a vendor with a hash of 123456 but try to go to a site where they give the same application out for free, and the same file has a hash value of 654321. It is a good sign that that software has been tampered with. Do you use hashing to detect these changes?
This family also goes into code scanning and application security. If you have custom applications, it may be best to protect them from attacks like SQL injection, brute forcing, and directory traversal. You do that by scanning your code that can detect if your code is vulnerable. A good idea is to perform fuzzing before it goes into production to test if any random strings can lead to admin access on the application or access to the underlying Operating System.
Conclusion
By knowing these controls, you realize the power of frameworks and how important they can be to an organization. Don’t hesitate to contact Cyber Shepherd with any assistance we can provide to your organization.