NIST CSF 2.0 brings new content to broaden its audience and new tools to help ease implementation.
By Jeffrey T. Lemmermann, CPA, CISA, CITP, CEH
In 2013, the National Institute of Standards and Technology (NIST) began development on a program to help private-sector businesses better understand, manage and reduce cybersecurity risk. That effort, geared for organizations that were part of the United States’ critical infrastructure, resulted in the NIST Cybersecurity Framework (CSF). In February of this year, version 2.0 of that framework was released.
The NIST CSF wasn’t the first framework targeting information systems, not even within the NIST itself. NIST SP 800-53 has been around far longer, and it’s designed to help organizations establish security controls for federal information systems. But for small and medium-sized organizations, 800-53 can be intimidating because of its complexity and sheer size. This is where the CSF fits in. The main focus of the CSF now is to help businesses of any size, any sector and any level of complexity manage and reduce risk.
Here is how version 2.0 has been changed to help put the CSF into practice — for all organizations:
The sixth function: Govern
There were five functions prior to the update representing the key pillars that make up a complete cybersecurity program. All functions relate to each other, and each function has specific categories and subcategories that describe the specific controls or actions to implement.
The sixth function, Govern, addresses the need to establish and maintain processes that support the overall information security program’s development and enforce its requirements. Notice in the charts how NIST depicts this function as a ring inside the other five. This portrays how all other functions rely on governance for their continued support and development:
Govern (GV) looks at how an organization assesses cybersecurity risk, assigns roles, provides oversight and develops cybersecurity related policy. It is divided into the following six categories, each of which has a variety of subcategories:
Controls are identified under their functions and categories. For example, the subcategory “Cybersecurity is included in human resources practices” is the fourth item under Roles, Responsibilities and Authorities. It would have the designation GV.RR-04. In total, there are 31 new controls to consider as part of the Govern function.
New tools
Reference tool
One very useful tool that doesn’t look like much at first glance is the NIST CSF 2.0 Reference Tool, located online at https://csrc.nist.gov/Projects/cybersecurity-framework/Filters#/csf/filters.
In prior versions, NIST provided a spreadsheet version of the entire framework. With this new tool, you can modify the framework before exporting a spreadsheet version. For example, if you want to cross-reference the controls with the Center for Internet Security’s guidance or just want CSF items that apply to a specific NIST family, both can be accomplished with this tool.
Whether you are an auditor looking for an audit program or an implementor of the framework controls, this tool puts the framework at your fingertips.
Quick-start guides
There are a number of guides that can help organizations adopt or improve their adoption of the framework. One of the most useful for organizations that have not yet adopted a framework (or are just beginning the process) is the Small Business Quick-Start Guide. This guide helps organizations move from having unorganized policies and procedures to developing cybersecurity efforts that will support the formal adoption of the NIST CSF 2.0. This guide can assist organizations of any size as an onramp to the NIST CSF. It can be accessed directly at https://doi.org/10.6028/NIST.SP.1300.
Community profiles and implementation examples
If you are looking for examples of how other organizations are utilizing the CSF, NIST provides two great resources:
Community profiles: These profiles detail how the CSF is utilized by multiple organizations in a community. The NIST National Cybersecurity Center of Excellence has worked with communities to develop community profiles for a variety of use cases. The goal is to help organizations understand how their peers are leveraging the framework. These profiles are available for versions 1.0, 1.1 and 2.0 of the CSF and can be viewed at https://www.nccoe.nist.gov/examples-community-profiles.
Developing your own organizational profile will help define the current state and the ultimate target state of your cybersecurity posture. In a profile, you can define, tailor, assess, prioritize, and communicate outcomes by considering an organization’s mission objectives, stakeholder expectations, threat landscape and requirements. This will allow you to prioritize actions and better utilize resources. Guidance for developing this profile is available at https://doi.org/10.6028/NIST.SP.1301.
Implementation examples: If you are looking for more detail than the profiles offer, these examples can give more of a step-by-step look at how other organizations have implemented the CSF. Many organizations with different needs, different sizes and different goals use the framework. These examples can help organizations find a similar use case, and they provide the early adoption steps that can help overcome the initial hurdle in adopting a framework.
Continuing support
This update to the CSF represents a major milestone in NIST’s support of the framework. After its initial publication in 2014, the CSF was updated in 2018 to version 1.1; version 2.0 makes the framework much more adoptable to organizations of many sizes and technical complexity. More importantly, it signals the importance of the framework to NIST and indicates that the tools developed to assist in implementing the CSF will continue to improve.
Ultimately, the CSF framework should be viewed as a flexible resource that can help organizations enhance their overall cybersecurity maturity. Version 2.0 adds depth and, more importantly, tools that can help organizations in their mission to better protect their information assets.
Jeffrey T. Lemmermann is an information assurance auditor and consultant for SynerComm and is the Wisconsin Champion for the Certified Information Technology Professional program. Connect with him on LinkedIn at: https://www.linkedin.com/in/jefflemmermann/
See the original publication found in On Balance Magazine.
At some point in 2015, cybercriminals had an aha moment. Instead of going through all of the trouble of breaking into a network, stealing data and then executing a complicated scheme to monetize that data, they found a shortcut - and it was already paved.
Data encryption was touted as a defense against attempts to steal data, and companies implemented encryption to keep their data safe. It did not take long for the bad guys to figure out a way to turn those defenses around: Encrypt the data and hold the key for ransom. Already armed with methods to trick users into running things they should not, attack methods were created that locked companies out of their own computers, data stores and applications.
Faced with the prospect of being without key systems and data for long periods of time, criminals offered a quick fix: Pay us to fix it. Insurance companies often encouraged payments, calculating that it was more economical to pay upfront than to pay for rebuilding systems, covering lost revenue and buying new equipment.
The result was predictable. Criminals saw big pockets behind the companies they were attacking. They widened their attacks and increased the ransom demands. More criminals got into the game, realizing how profitable this venture was becoming.
The biggest question that companies are asking today is this: "Can we survive a ransomware attack?" To answer that, it is best to break the threat down to four questions:
The components of protection should be familiar, as they are the basic hygiene items needed to stop any cybersecurity threat:
• Privileged access or admin access to devices throughout the network should be limited, with specialized accounts set up for local administrator tasks. When many users have admin access to many machines, ransomware spreads like wildfire.
• Access to file shares across the network should be only as-needed. Ransomware will look to encrypt whatever files the user who launched it can see and change. If the infected user has limited rights on file shares, the damage that can be caused will be limited.
Malware normally finds its way onto computers that are missing patches. Ransomware is no different; yet patching continues to be a shortcoming in many organizations' defenses. The keys to having an effective patch management program are to:
• Ensure ALL operating systems and platforms are covered by an automated patching system.
• Ensure ALL applications are covered by an automated patching system.
• Perform scans routinely on all systems in the environment to confirm the automated patching systems are functioning as intended.
Organizations need to have current and up-to-date technology defending endpoints. Anti-virus applications installed and forgotten five years ago do not meet this requirement. Make sure the endpoint protection system is actively monitored to ensure components are current and protections are not disabled.
When commercial buildings, hotels and homes are built, codes have to be followed for a number of reasons, one of which is to ensure that fires have difficulty spreading from room to room and floor to floor. A computer network should be no different. Networked devices in one department should be able to see networked devices in another department only if there is a justified business requirement.
One of the most important aspects of limiting the damage of a ransomware attack is to know when it is happening. Following are the key steps to sharpening any company’s detection capabilities:
"How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack."
How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack. That response also affects the damage to its reputation with customers and the morale of its employees. This is where a formal incident response plan (IRP) is essential. The basic components of the IRP should include:
• Defined members of an incident response team (IRT).
• Contact information for external resources (such as the media, law enforcement and third-party consultants).
• Templates for communicating with employees, customers and vendors.
Specific to ransomware, the IRP should have a playbook for procedures related to a ransomware attack. Such a playbook can be designed through a tabletop ransomware exercise. This playbook will be unique to the organization with steps specific to the IRT members. Steps should include:
• User actions when ransomware is suspected.
• Specific steps for isolating network segments or systems.
• Communication steps with members of the IRT.
Recovering from a ransomware attack normally involves one of three options.
To be viable, backup systems and images cannot be compromised by the ransomware. Attackers will often look to encrypt backup systems first so that a system restore is not possible. To protect the ability to recover systems and data, organizations should:
• Maintain protected gold images of systems to ensure restoration to a known trusted state.
• Keep copies of data backups that cannot be overwritten and are disconnected from the production network.
Some companies are forced into this solution. Some look to it as the path of least resistance. There are risks that come with this choice: Will the decryption key be effective? Criminals realized early on that it is more profitable in the long run to provide the key. That does not mean it will be useful. In the case of the recent Colonial Pipeline attack, a large payment was made only to find the decryption tool was too slow to be of use (Morse, 2021). Unfortunately, if you're attacked once, you may be attacked again. A recent report indicated that 80% of businesses that paid to recover from an attack experienced a subsequent ransomware attack (Yu, 2021).
This is the most painful scenario, normally chosen when backups cannot be restored and/or the purchased decryption key is not working.
Hopefully, this guide helps you to understand and prepare for these attacks. The tactics of the criminals continue to escalate with the release of captured data and the use of personal attacks on corporate executives to compel payment. Our efforts to resist need to meet these threats.
Microsoft Secure Score. If you’re an IT administrator or security professional in an organization that uses Office 365, then you’ve no doubt used the tool or at least heard the term. It started as Office 365 Secure Score, but it was renamed in April 2018 to reflect a wider range of elements being scored.
What does it do? The tool looks at configurable settings and actions primarily within your Office 365 and Azure AD environment, and awards points for selections that meet best practices. In their words, “From a centralized dashboard you can monitor and improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure.”
But what doesn’t Microsoft Secure Score do? Microsoft is very good at telling you the great things its products can do, so I won’t repeat them here. The concept is sound, and I applaud them for giving users a tool that prioritizes secure configurations. They have come a long way from having auditing turned off by default in their products, e.g., Server 2000. I will point out why Microsoft Secure Score isn’t enough when it comes to understanding and testing the security of your Microsoft 365 environment.
I am a Certified Public Accountant (CPA), and as such, I’ve spent a good portion of my life performing audits and assessments. A key independence rule CPAs abide by is: an auditor must not audit his or her own work. Microsoft isn’t exactly independent when scoring its own product’s settings and capabilities. The financial motivation exists for Microsoft to setup a scoring system that makes users feel good about using Microsoft products. Interoperability and performance will always be a higher priority than security.
This fact is furthered by the scoring system setup, which unlocks higher point opportunities with higher priced subscriptions. For example, Microsoft Cloud App Security and Azure Advanced Threat Protection are unlocked with E5 licenses, or as a $5.50 per user per month add on to an existing E3 license. This can be as much as a 70% price increase. If you want more chances to raise your overall score and have a higher score ceiling, spend more money…a very beneficial side-effect for Microsoft.
Also, remember that Secure Score is reflective of a Microsoft opinion and their subjective value for security controls they believe are important. This differs from widely accepted standards from organizations like NIST (National Institute of Standards and Technology) or CIS (Center for Internet Security) which are vendor neutral and have been refined, improved, and evolved over time.
First let me say that Secure Score can be dented and bent to fit different environments. Scoring for certain areas can be manually entered if you have a third-party solution for a control. It will be incumbent on the person checking those controls to match what Secure Score is asking for. This is an all-or-nothing proposition as indicated within Secure Score, “Marking as resolved through third-party indicates that you have completed this action in a non-Microsoft app, and will give you the full point value of this action.”
This is a key area where the Secure Score blanket fails to keep all areas of the entity covered and warm. There are bound to be components and configuration requirements that don’t quite fit what Secure Score evaluates or how it is scored. Think of the myriad of application combinations to handle Customer Relationship Management (CRM), Mobile Device Management (MDM), Security Information and Event Management (SIEM), Data Loss Prevention (DLP), and Multifactor Authentication (MFA) just to name a few. An independent assessment of the environment that references best practice hardening guides for specific products comprising the solution is the only way to complete a proper evaluation.
Reason number 3: Security is a journey, and a scorecard makes it a destination.
Don’t get me wrong, I like scores and grades. CPA’s generally like to measure and quantify things. Secure Score quantifies security, gives you trends over time on your score, and even allows you to measure your score against others based on a global average, industry average, and similar seat count average.
What I don’t like is how the scores can be manipulated, or how they can be construed. If the O365 administrator wants to improve their percentage of points achieved, the simplest way is to select “ignore” for the scoring areas that they have earned 0 points. Per Secure Score documentation, “Once you ignore an improvement action, it will no longer count toward the total Secure score points you have available.” Lower the denominator, keep the numerator, and poof! We are more secure. Or are we?
Executives looking at a scorecard may also be satisfied once it has reached a certain percentage of the total available. A project which will move the Secure Score from 650 out of 807 points to 710 out of 807 points appears to make the company about 8% more secure to a non-security decision maker handling the company budget. That project may not make the cut. In reality, any scoring shortage could represent a critical configuration issue that puts information assets at risk. That point may get lost if the focus is score.
We hear stories all the time about breach activities that were being reported by automated logging systems, except no one was looking at the logs. IT management puts a tool in place and checks a box that implies the organization is secure in that area. Secure Score is ripe for this. Several improvement actions that will increase your score involve reviewing reports. When a link for a report is clicked, Secure Score assumes the report was reviewed and awards points. To keep the points, the link must be clicked within specific time intervals from within the Secure Score user interface, but this process does not record what was reviewed, or any notes or actions resulting from the review. There is no substitute for the actual review process and confirming that the review is happening.
Also consider an environment made up of multiple applications from different vendors where automated security evaluations, like Secure Score, are put in place. Each application that makes up the system interacts with other applications, potentially creating security control blind spots. For example, an email system that hands-off outbound email to a 3rd party DLP solution. Are there security holes in the process that transfers data in and out of the DLP application? Identifying those weaknesses requires a wholistic view, measured against current accepted best practices, that just isn’t offered by Secure Score or any other automated solution.
In conclusion, I think Secure Score has a place in monitoring and evaluating an organization’s information security posture. Microsoft is taking recommendations from its user base and is working to improve Secure Score’s results and widen its coverage. It is a barometer of an information security environment that could produce important information when properly utilized.
The bottom line though is that it is just one tool. It cannot replace a diligent information security program; or at a higher level, an information security management system. Independent assessment and review of controls, policies, procedures, and the people managing the environment work in tandem to assure the confidentiality, integrity, and availability of an organizations information assets. Consider the diversity of an organizations landscape:
These areas are all interdependent, yet all have their own unique traits and ways to be assessed and secured. No one measurement tool is enough.
By Jeffrey T. Lemmermann, CPA, CISA, CITP, CEH - Information Assurance Consultant
