Framework or Crash, the Choice is Yours!

by | Jun 21, 2019 | Audit / Compliance, Blog

Are you using a framework to establish your information security program? If not, I get it; it’s complicated. On a second thought, have you lost your mind?

I’ve been there. A number of years ago, while taking up a resolution to better document and organize a network that was developing rapidly, I began researching frameworks, mainly ISO and NIST.  How many pages? What??? That is just the description book; there is an implementation novel as well?

If you are starting from scratch, there is a knowledge barrier that appears to be very steep. Once you see it, you undoubtedly ask yourself, “is it worth the climb?”  Then, the next time you get on an airplane, ask yourself, “are pre-flight checklists worth the effort?”

A pre-flight checklist exists to ensure that all the requirements for a safe flight are in place before the plane leaves the ground. A pretty sound idea, since after it leaves the ground, it’s kind of too late.

I am squarely on the side that it is worth it and can make the case that all corporate IT breaches could have been avoided, or at the very least minimized, with a properly selected and implemented framework. Why? Because mature frameworks will contain controls, situations, and steps that you cannot think of on your own. They are designed to help prepare for the obvious and the unforeseen.

Consider the Target breach from 2013. This was a breach that started with a 3rd party contractor and ultimately led to the compromise of Personally Identifiable Information (PII) of 70 million customers along with data for 40 million credit and debit cards. There are many accounts of what happened during this event, but I’m going to draw a basic chain of events from the most widely accepted descriptions for our scenario:

  1. 3rd Party fell victim to malware attack and had their vendor credentials compromised.
  2. Credentials used to access Target’s hosted vendor site and find web application vulnerability.
  3. Exploit allowed attackers to upload tools to key systems on Target’s network.
  4. New credentials with administrator level access were created within the network.
  5. Databases identified that contained PII. Data copied to extraction point.
  6. Install malware on key systems to scan memory and capture credit card information.
  7. Credit card information copied to extraction point. Data extracted via FTP

For this breach, let’s look at NIST 800-53, an extremely deep and complete framework, consisting of 18 control families. It is divided into Low, Moderate, and High implementations based on the system impact level. We will assume “Low” for this analysis, which contains 115 controls to be considered (see https://nvd.nist.gov/800-53/Rev4/impact/low ). Here are a few of the controls that are directly applicable to each of the steps in the breach:

  1. PS-7: THIRD-PARTY PERSONNEL SECURITY; RA-3: RISK ASSESSMENT
  2. AC-17: REMOTE ACCESS; RA-5: VULNERABILITY SCANNING
  3. AC-3: ACCESS ENFORCEMENT; CM-7: LEAST FUNCTIONALITY; SI-4: INFORMATION SYSTEM MONITORING
  4. AC-2: ACCOUNT MANAGEMENT; IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
  5. AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING; SE-1: INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION
  6. CM-5: ACCESS RESTRICTIONS FOR CHANGE; SI-16: MEMORY PROTECTION,
  7. SC-7: BOUNDARY PROTECTION; SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY

Note that I said “a few of the controls…” The above is just a quick sampling of controls that would have prevented, or at least, minimized the damage done in the breach. Other controls would also come into play, as some controls address documentation, some address enterprise level controls, some application level controls. The key is, they work together and rely on each other.

Here is an example:

SC-7 is documented this way on the nist.gov website –

SC-7 BOUNDARY PROTECTION

Control Description

The information system:

  1. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
  2. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
  3. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Related to: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13

CM-7 is in the “Related to:” section, which shows controls that are reliant in either one direction or both directions. Here is CM-7 –

CM-7 LEAST FUNCTIONALITY

Control Description

The organization:

  1. Configures the information system to provide only essential capabilities; and
  2. Prohibits or restricts the use of the following functions, ports, protocols, and/or services:

Related to: AC-6, CM-2, RA-5, SA-5, SC-7

Each control has related controls, which is why proper implementation of the entire framework is essential to maximizing the benefits.

So how do you start? Pick your idiom: It’s like writing a novel, eating an elephant, mailing a jeep home, drinking a half barrel of beer. You do it one page, one bite, a few parts, or one glass at a time.

Which framework should you select? Statistically, according to Tenable’s Trends in Security Framework Adoption Survey (https://www.tenable.com/whitepapers/trends-in-security-framework-adoption ) released in 2018, 84% of organizations in the US leverage a security framework in their organization, with the top 4 being:

  1. PCI DSS (47%)
  2. ISO 27001/27002 (35%)
  3. CIS Critical Security Controls (32%)
  4. NIST Framework for Improving Critical Infrastructure Security (29%)

Look first to your organization and/or your customers. If you are in manufacturing, and have adopted ISO for your manufacturing standards, then the ISO 27000 series (specifically ISO/IEC 27001:2013) probably makes sense. If your organization will be relying on credit card processing, then the PCI DSS framework may be mandatory. If your client base includes governmental entities, then NIST will be a requirement.

So, consider this your crash warning indicator light. It is blinking, and you should probably do something about it!

“The first step towards getting somewhere is to decide that you are not going to stay where you are. “

-Chauncey Depew