Through an Assessor’s Lens: Discovering the Value of a NIST CSF Assessment

Through an Assessor’s Lens: Discovering the Value of a NIST CSF Assessment

NIST CSF, a cybersecurity framework helping uncover unknown risks, set up new controls, break down internal silos, achieve cybersecurity maturity.

As cybersecurity continues to mature and be at the top of everyone’s mind, a natural shift has occurred from focusing on meeting regulatory compliance mandates, to involving the business and reducing risks associated with their valuable assets.

Blocking every threat would be nice but is cost-prohibitive (not to mention nearly impossible). Instead, organizations are responsible for allocating resources to reduce areas of cyber risk within their defined tolerances levels. This is where the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) excels.

The NIST CSF was first published in 2014 under the Presidential Executive Order of ‘Improving Critical Infrastructure Cybersecurity,’ which called for a standardized security framework. Existing frameworks like NIST 800-53 and ISO 27001 provided specific controls and processes, while the creating of NIST CSF offered a more digestible and flexible cybersecurity framework, allowing all adopters to see their security program from a more strategic, business-centric view.

Why use NIST CSF?

One of the major benefits of NIST CSF is that it’s far less prescriptive than other cybersecurity standards as it is more open to adaptation. Any organization can use NIST CSF to identify and fill gaps in their cybersecurity program. That said, while the framework can be useful for achieving compliance goals, it is not a compliance exercise. Instead, it’s a tool to assess, identify risks, and put controls in place to address them.

The framework categorizes cybersecurity maturity in four tiers:

  • Partial: Controls are put in place ad hoc and issues are mitigated reactively.
  • Risk-informed: Controls are in place but usually not organization-wide.
  • Repeatable: Controls are formally approved and consistently implemented.
  • Adaptive: Controls are continually updated to reflect current threats and activities.

Moving from one tier to the next requires a cultural change, investment of time and resources, and formal coordination between cybersecurity and the rest of departments within the business.

NIST CSF provides a ‘closed-loop’ for continuous improvement in cybersecurity. By regularly assessing the current state of different controls and setting objectives for improvement, an organization can systematically reduce cyber risk.

Incorporating NIST CSF into your cybersecurity program

The framework does not meet every organization’s needs nor is it intended to replace others. NIST CSF is a descriptive (not prescriptive) framework, designed to be adapted to the needs of any type of organization. To get the maximum benefit, security leaders need to assess where the framework fits within the company’s needs and where it doesn’t. They also need to be mindful of the framework’s gaps (e.g. emerging technologies) that might be overlooked and consider complementing the framework’s controls with others specifically design for the current business and security challenges.

Organizations aren’t limited to using one cybersecurity framework. NIST CSF works well with other available frameworks, which may incorporate a blended set of controls because they fit both business and security needs. This is also applicable when an organization intends to obtain a certification (e.g. ISO/IEC 27001) or needs to meet regulatory requirements.

In addition, if the organization is coming from a place of low cybersecurity maturity, NIST CSF can be the stepping stone to build a foundational cybersecurity program. Next steps would be to develop a reasonable and attainable roadmap that can be created to improve said maturity for the future state.

Through the process, it is vital to get the buy-in from the business. This is to ensure that security is built into the culture and that the framework is formally integrated, aligned, and prioritized in the day-to-day operations.

NIST CSF assessments

A NIST CSF assessment is not an audit, rather an engagement to drive business value by identifying risks. In heavily regulated industries, it may be a requirement to perform a risk assessment each year; however, in lesser or unregulated industries, it is recommended to get an assessment every two years due to the continual evolution of threats.

A typical NIST CSF assessment follows three steps:

  • Step #1: Interviews and workshops with relevant subject matter experts and control owners.
  • Step #2: Review of documentation (policies, standards, and procedures) and evidence of controls in place.
  • Step #3: Report on the detailed findings, risks, and recommended steps to remediation control weaknesses or gaps in the current cybersecurity program.

It’s important to work with a qualified, independent assessor who has seen how the controls are applied across different industries and similar organizations. An experienced assessor can give organizations assistance on how the framework should be successfully applied, offer valuable insight into the level of maturity compared to others, provide risk mitigation techniques, and incorporate ‘hot topics’ during the risk assessment ensuring the organization is well protected.

Leveraging a professional brings many benefits for an organization, including:

  • Uncover control weaknesses and hidden/unknown risks. Interviews include discussions on how and where systems are connected and protected, which often uncover unknown risks. Likely to happen when operational and security departments act as silos and/or don’t have formal and centralized processes.
  • Identify areas where additional resources would help reduce risk. Risk reduction is fundamental, and NIST CSF assessments are valuable to identify the most important areas for investment of human, technology, and financial resources.
  • Realign cybersecurity priorities based on independent perspectives. It’s easy for decision-makers to ignore internal voices, but harder to do so with an unbiased independent assessment.
  • Address questions from executive management. An assessment provides an impartial answer to “Are we covering all major information security risks?” and boosts executive confidence in the program.

If you choose to work with an assessor, remember to always be transparent. Sharing all weaknesses enables the assessor to provide better guidance, which may also provide a platform for obtaining additional support or resources from management to address the areas of risks.

Risk assessment for Covid-19 and beyond

Covid-19 showed us the importance of having plans in place to address business continuity, security in the supply chain, and vendor risk focused on the resources that affect the organization’s up-stream and down-stream operations. Many organizations found themselves in the uncomfortable position of having to alter business operations because they didn’t assess or develop action plans.

Leveraging the NIST CSF, organizations can work on their cybersecurity maturity in a time when threats are constantly on the rise. Having a qualified assessor review your organization’s cybersecurity program, specifically using NIST CSF, can be helpful to identify risks that aren’t intuitively obvious but could cause serious disruption when they become a reality.

Cory Steinbicker, Senior Advisor – Strategy & Governance, Kudelski Security

This article was originally published in IT Pro Portal.

Cybersecurity Concerns with COVID-19

Cybersecurity Concerns with COVID-19

We are having increasing numbers of conversations with clients about cybersecurity and business continuity challenges resulting from the rapid adoption of work-from-home scenarios to combat the spread of COVID-19.

Clients are interested in cybersecurity policy updates to improve remote access, and asking for increased employee education around BYOD security, secure WiFi use, basic security hygiene, and COVID-19 phishing attack awareness. And finally, clients are asking how they can maintain security with a dramatic increase in devices and employees accessing sensitive data and systems from remote locations.

Below are some of the frequently asked questions (FAQs) we’re being asked along with the advice we are sharing.  There are likely many approaches, and many other questions. Please join the conversation by posting your point of view. We’re interested to hear how others are solving the challenges.

Technology Concerns:

My corporate VPN will not handle the strain of thousands of telecommuting employees. What should I do?

Most organizations do not have VPN capacity for everyone. If you find your existing VPN infrastructure overwhelmed, it will be challenging to procure physical equipment and increase the capacity of your internet links, in a short time period.

We recommend you start by asking ‘what applications and business processes really require VPN’. Many services your business consumes are now delivered from the Cloud and are accessible directly without a VPN connection. (i.e. Office 365, Salesforce, Netsuite, Workday, etc.)

If you really need to increase VPN capacity, we can suggest a temporary workaround: Open VPN Server via the AWS marketplace. A number of our clients have done this.  You can procure the license and the VM’s in a pay-as-you-go model. This allows you to leverage Amazon’s internet presence, and by establishing a site-to-site VPN back to your internal systems, you can rapidly increase your VPN capabilities while you procure enhancements to your internal infrastructure.  Typically, your existing firewalls can handle more traffic via a site-to-site VPN than from 1000’s of remote users.

What technology should I prioritize to facilitate business continuity in a work-from-home situation?

  • Collaboration licenses. Do you have enough collaboration license for everyone? With meetings shifting online it will likely stretch your collaboration infrastructure. 

We recommend balancing capabilities along with the desire to allow employees and business partners to communicate via both voice and video when it makes sense. Video could become very important to maintaining a cohesive environment over time if people are unable to meet in person for an expended period of time.

  • Password reset infrastructure.

The pressure on password reset infrastructure will become a challenge.

We suggest investing in self-service capabilities, if not already done so.  If you haven’t, you are likely to face problems and potentially have your helpdesk over-run with requests.

Security Concerns

What are the current tactics most commonly employed by attackers to compromise my security?  

Kudelski Security has received many reports from our clients about the following:

  • Fake Users Requesting Remote Access from the HelpDesk. This will continue to grow in frequency

Organizations will need to have a robust method of authenticating their remote employees in order to avoid falling victim to this type of attack. Hopefully, the time you previously invested in having a robust password reset process for your helpdesk will be able to be leveraged to protect against this attack.

  • Fake Users Pretending to be Helpdesk Support. This tactic usually involves the attacker asking employees to install software. This will also continue to grow in frequency.

We recommend you educate your workforce on how to identify a valid helpdesk request.  Technical controls limiting the software employees can install is also a good call at this point.

  • Fake Hardware Purchasing Requests Attackers are attempting to place orders for hardware under the auspices of a newly remotely working employee.

You will be better protected if you authenticate your requestors properly. Having a process in place where your hardware vendors only accept requests from validated sources will help you here.

What are the implications of remote working on my SOC data and operations?

A dramatic increase in remote connections is going to throw off your SOC baselines and will require you to re-baseline your traffic. It could also test your SEIM capacity to process and analyze all the new alerts.

We recommend you refine your threat hunting activities since all of these new remote connections are going to make it much harder to find bad actors.

Many employees work with sensitive data.  How can we facilitate secure business continuity in a remote-office environment?

Many employees are working with sensitive data and may not be used to working with it outside of the office environment.

We recommend you run some compulsory security training to remind employees about good security practice (secure WiFi use, issues around BYOD, shadow cloud/IT, basic security hygiene, and Covid-19 phishing attack awareness).

We also suggest you may need to revamp your process to enable this type of work securely. This extends to having sensitive conversations in an unsecure environment, and will impact your research and development personnel who may be working on unreleased products. What are you going to let them take home? Or will you have to suspend certain projects if you determine you need to close your office?

Staffing & Business Continuity Concerns

What are the best ways to support employees working from home, many of whom are not used to working remotely?

Having a large influx of new remote employees, many of whom are not accustomed to working remotely will place a significant short term strain on your support staff.

Start by looking at additional resources or special incentive plans to mitigate any slack.  Do people have the hardware to be productive?, i.e. printers, multiple monitors, power adaptors, dongles for our Mac people, etc. And while many clients are enabling staff to outfit their home offices with equipment from their primary offices, some cataloging should be done. At some point, many of these folks will likely return to an office. Corporate IT and finance will want to account for all the extra hardware that was either borrowed or purchased during this time to ensure it is returned or inventoried.

How can we keep morale and momentum going, in the medium to long-term? How do I keep revenue-generating employees engaged if the pandemic continues to affect new sales?

Honesty here is key. We also recommend having an open and honest discussion with your employees about the situation as it develops. It’s important that staff are reassured that this situation won’t last forever. Maintaining morale and ‘just checking in’ on your teams through regular phone calls/video calls will go a long way to keeping employees engaged.

See this unprecedented situation as an opportunity for online training. Programs that help skills development for remote working as well as developing industry-relevant knowledge are readily available.

What is the best way to preserve capital?

Preserving capital is an important point for reflection.

We suggest effective action is to right-size your project portfolio. Take the time to determine what projects across the enterprise are business-critical given the new operating environment. It’s likely you have many initiatives that can be postponed so that staff can focus on business-critical ones during this event. Not only does this preserve capital, but it also helps with any future staffing shortages

Need an expert? We can help. Click here.

This is an on-going blog post. Please comment here with anyone questions or concerns you may have and one of our experts will answer. 

5 Ways to Up Your Threat Management Game

5 Ways to Up Your Threat Management Game

Good security programs start with a mindset that it’s not about the tools, it’s what you do with them. Here’s how to get out of a reactive fire-drill mode with vulnerability management.

The basis of a good security program starts with a mindset that it’s not about the tools, it’s what you do with them. This mindset is most evident when critical vulnerabilities are released and everyone scrambles to mitigate exploitation.

Most recently, we saw this following the release of the latest critical Windows vulnerability (CVE-2020-0610 and others), which some folks have nicknamed CurveBall. The vulnerability affects Windows CryptoAPI and how Windows handles Elliptical Curve Ciphers (ECC) as part of this service. Microsoft also released two Remote Code Execution (RCE) bugs that are equally important.

It’s critical that companies get out of a reactive fire-drill mode and work toward cyber resiliency. Here are five recommendations for getting there.

Develop a VTM Strategy
One of the most important business strategies for a security program should be around vulnerability threat management (VTM). VTM strategies should include effective, timely, and collaborative reporting of actionable metrics. Avoid simple items such as the number of vulnerabilities on Windows systems and focus on meaningful items such as remediation rates of exploitable vulnerabilities on critical systems.

It’s important to keep in mind that VTM is a culture and an operational mindset. An effective VTM program should be implemented in concert with the larger security operations organization to mitigate threats and reduce threat actors’ overall attack landscape. It goes beyond scanning for vulnerabilities and telling IT ops to “not suck at patching.”

I recommend splitting your VTM strategy into two phases: detection and response. Detection aims to ensure effective, risk-based reporting and prioritized vulnerability mitigation by gathering all your data, validating the results, and applying a business risk. Automation can make this process easier. Further, using the Observe-Orient-Decide-Act (OODA) loop continually reduces the time it takes to locate and inform IT ops and development teams where corrective action needs to take place.

Response is where the rubber meets the road and where many of us pass on the work to other businesses to assist in applying patches or hardening systems. To that end, ensure the correct solution (mitigation or corrective action) is recommended by the VTM team and that the agreed-upon solution has been tested and won’t break production.

In deploying the solution, it’s critical that IT ops and development get prioritized patching and that we provide as few false positives as possible. Trust is earned through transparency and repetition, but it can be destroyed through bad data in an instant.

Know Your Inventory
Knowing where your assets are and who owns them is the basis of an effective and efficient VTM program. Inventory management is a common struggle, partially because VTM teams use a combination of sources to identify where assets live. There are widely available tools to automate and integrate inventory systems so you can avoid time-consuming inventory pulls or maintaining manual spreadsheets. I also recommend partnering with the leaders across your business lines to ensure that when new systems are spun up, the VTM program is effective.

Implement, Then Continually Improve
Don’t wait for the sky to fall to realize that you needed to practice. Just like any other part of an effective security organization, your VTM program should constantly improve. I’ve been a big fan of OODA loops for years.

They are highly effective when leveraged to continually improve an operational program where every initial Observation exits the loop with an Action to adjust the next Observation. If you’ve seen the same thing twice, you’re failing. Leverage cyclical processes to continually improve VTM operations and continually measure your own effectiveness.

Step Up Your Vendor Management
While we cannot simply run vulnerability scans or penetration tests against our vendors, we can put contractual obligations in place with vendors that have access to our sensitive data to secure it appropriately.

Rights to audit are key in any contract. I see many large financial institutions conducting audits on client programs. It’s a great way to validate how effective a program is, but keep in mind that it’s also very expensive to operationalize.

Finally, don’t be shy in working with your vendors. Build relationships with their security and IT organizations so that when a critical vulnerability is released, you know whom to call, and it’s also not the first time you have spoken.

Build a Professional Network
When I first entered the security field several decades ago, collaboration between security organizations in different companies was taboo. Today, it’s required. This sounds simple but is key: As a CISO or security leader, you must have an external network of peers to collaborate with. We must put egos aside and ask each other simple questions around the common problems we all face.

The release of new security vulnerabilities is only going to continue in the coming weeks and months. The most successful (and secure) companies will be able to look outside their network for actionable information and develop internal strategies to stay ahead of increasing threats.

This article was originally published in Dark Reading.

Global Cybersecurity Outlook: Andre Kudelski at World Economic Forum

Global Cybersecurity Outlook: Andre Kudelski at World Economic Forum

The annual cost of cyberattacks is expected to reach $6 trillion by 2021. What trends will shape cybersecurity in the near future?

On the Forum Agenda:
– Threats and opportunities for emerging technologies
– New models of public-private information exchange
– Improving organizational management and talent development

Access the Platform for Shaping the Future of Cybersecurity and Digital Trust via TopLink.

Cybercriminalité; La sécurité des réseaux électriques devient vitale

Cybercriminalité; La sécurité des réseaux électriques devient vitale

Kudelski se profile dans la sécurité des infrastructures critiques alors que la Confédération est en train d’étudier la vulnérabilité du système électrique

La cybersécurité est au cœur de la controverse qui oppose l’entreprise chinoise Huawei à l’administration
américaine dans le déploiement de la 5G. La question va immanquablement se poser bientôt dans
l’infrastructure des réseaux électriques dits intelligents. S’ils venaient à être piratés, un hôpital, une ville, voire
un pays pourraient être plongés dans le noir par l’action de personnes mal intentionnées.

Ne pas répéter les mêmes erreurs

À Davos, André Kudelski était l’une des vedettes des panels de discussions organisés par le WEF. À ses
yeux, il ne faut pas répéter la même erreur que celle commise avec le développement d’internet, infesté de
virus et vulnérable aux manipulations.

Faute d’avoir anticipé les risques de cybersécurité, tous les systèmes informatiques classiques doivent
constamment renouveler leur protection dans l’espoir qu’ils pourront contenir une attaque. «Les nouveaux
réseaux électriques intelligents, qui vont monitorer en temps réel les flux d’énergie, relier consommateurs et
producteurs, doivent être conçus dès le départ pour être résilients et non colmatés après coup», explique le
CEO André Kudelski. Le directeur de l’Office fédéral de l’énergie, Benoît Revaz, acquiesce: «Les réseaux
électriques vont comporter des milliers d’accès sensibles. S’ils seront très utiles pour gérer la demande et la
consommation, la vulnérabilité augmentera fortement.

La voiture dans le ravin

L’analogie avec la voiture connectée permet de mieux illustrer le problème que pose la sphère virtuelle quand
elle pilote le monde réel. S’il n’est pas très grave de perdre ses mails ou de devoir interrompre
temporairement l’activité d’une entreprise, une voiture connectée piratée finira, elle, dans le ravin. Dans le
domaine de l’électricité, un réseau peut s’effondrer et, en cascade, déclencher un black-out intégral.

Voilà pourquoi Kudelski a développé des compétences dans la gestion des réseaux d’infrastructures
sensibles, aux États-Unis mais également en Suisse. Certains États, comme le Royaume-Uni ou la Lettonie,
ont déjà essuyé de sérieuses attaques. Dans le cas d’un hôpital anglais, l’enquête a démontré que les pirates
étaient entrés dans son système informatique par l’ordinateur gérant la ventilation.

Conscient de ces dangers, qui vont décupler avec l’arrivée des compteurs intelligents, l’injection de courant
par des milliers de propriétaires d’installations photovoltaïques, l’Office fédéral de l’énergie procède
actuellement à une évaluation des risques et examine le type de réglementation qui sera nécessaire pour
éviter les pannes à répétition qui affectent les réseaux informatiques classiques.

L’OFEN pense qu’il est illusoire de vouloir réguler de manière rigide la sécurité. Il est plus utile de s’adapter
en permanence à la technologie en collaboration avec l’industrie. L’important est de vérifier que des
standards minimaux sont respectés dès le départ dans le déploiement des nouvelles applications.

Partenaires confidentiels

La société Kudelski se profile comme l’un des partenaires des entreprises suisses; elle réalise déjà un chiffre
d’affaires de plusieurs millions de francs par année avec des acteurs qui ne peuvent toutefois pas être
mentionnés pour des questions de confidentialité et de sécurité. Les labos de l’entreprise de Cheseaux lui
permettent d’examiner non seulement la vulnérabilité aux attaques de type virales, mais également la nature
des composants électroniques, les puces et microprocesseurs fabriqués par les usines de semi-conducteurs.

Les ingénieurs vérifient si les puces comportent ou non une porte d’entrée cachée utilisable par des pirates.
C’est précisément ce doute que les États-Unis brandissent pour interdire au fabricant chinois Huawei de
déployer la 5G sur leur territoire. On l’aura compris, si la sécurité dans les réseaux de téléphonie mobile est
critique pour les États, elle va devenir vitale dans le domaine de l’électricité.

Article original par Pierre Veya, est publié dans La Tribune de Genève, 24 jan. 2020