NIST Cybersecurity Framework

NIST Conference a Timely Reminder That Private-Public Co-operation is needed to Fight Hackers

The dangers of cyber security breaches once more made headlines in 2018.  We saw the Facebook privacy scandal, British Airways, and the Centers for Medicare and Medicaid Services all hacked.

This demonstrates that corporations and government agencies continue to be prime targets for cybercriminals. Joint investment in robust prevention, detection, response and recovery measures need to be prioritized.  In November 2018, the National Institute of Standards and Technology (NIST) hosted a cyber-security conference in Baltimore.

For those businesses looking for guidance, NIST has recently released version 1.1 of their Cyber security Framework.

What is the NIST Cybersecurity Framework

The NIST Cybersecurity Framework is a voluntary tool, created in collaboration with the private sector. It is designed to help businesses and organizations mitigate risk from cyber security breaches.  It also seeks to help protect against threats such as malware infection and the loss or theft of data.

Its core implementation organises cyber security activities into five functions: Identify, Protect, Detect, Respond and Recover. These are each sub-divided into 22 further categories and 98 subcategories.  Each subcategory is linked to specific sections of standards, guidelines and practices.

The NIST Cybersecurity Framework also sets out four implementation tiers (Partial, Risk Informed,  Repeatable and Adaptive). These provide a context for organizations to describe their views on cybersecurity and any processes they already have in place. There is also a Framework Profile which helps organizations to align themselves with the core cybersecurity activities that are a priority for them. They can then create both a ‘Current Profile’ and ‘Target Profile’ and put steps in place to move their organization forward.

What was added in Version 1.1?

In April 2018, Version 1.1 of the NIST Cybersecurity framework was released. The new framework increased its scope to cover operational technologies and cyber-physical systems.  Version 1.1 encompasses the Internet of Things (IoT) which will feature many objects with only minimal IT hardware and software. The IoT is going to become a major factor in the future of business.  Many supply chain operations are becoming automated. It is vital that every link in this chain is secured because cybercriminals will be actively hunting for the Achilles heel that could bring down a company.  The interconnected nature of smart supply chains makes them particularly vulnerable.

Supply chain risk management is therefore another feature of the updated framework.  There is also new information regarding cyber-security measurement and self-assessment. Additional resources about the cyber-attack lifecycle, governance, small business awareness have also been added.

Latest Password Guidance from the NIST

With more than 80% of breaches making use of stolen or cracked passwords, the NIST regularly provide guidance on creating passwords. Applicable across all industries, their current three-step advice is as follows:

  1. Don’t rely on passwords alone for protecting valuable accounts. Make use of multi-factor authentication too.
  2. Use password phrases that are hard to guess but easy to remember. The specific guidance is to use multi-word phrases that form a mental picture.
  3. Pay special attention to your most important accounts by giving each a unique password phrase.

Positive Signs for a More Inclusive Framework

Although the NIST Framework is a positive move in the right direction, there have been criticisms that it is inaccessible for small businesses. This is because many of the resources linked to the sub-categories are only available by paying for a subscription to the relevant standards body.

In response, politicians have presented two bills – the MAINSTREET Cyber security Act of 2017 and NIST Small Business Cyber security Act of 2017 – to ensure small businesses can access the information they need to stay safe.

The Trump administration has also shown that they recognize the importance of securing businesses. The DHS is getting involved in securing the business supply chain. The President has also directed that all federal agencies must use the NIST framework although there is still some flexibility when it comes to non-federal corporations and organizations.

The attendance of IT giants such as Microsoft and Google at the NIST conference indicates that there is more acceptance of the need for a collaborative approach to cybersecurity.

How will this impact businesses? Well, don’t be surprised to see compulsory NIST compliance sooner rather than later. If you don’t have an in-house IT support/cyber security team or sufficient IT consulting processes in place, now could be the time to start bringing in these resources and embracing the NIST Framework.

About Brent:

Brent Whitfield is the CEO of DCG Technical Solutions Inc. located in Los Angeles, CA since 1993. DCG provides IT Services for Los Angeles area businesses who need to remain competitive and productive, while being sensitive to limited IT budgets. Brent writes & blogs frequently and has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP Mentor.  Because of Brent’s experience as an MSP, he is actively serving on partner advisory councils for many of the major MSP vendors providing backup, RMM, and software to the market.  He also leads SMBTN – Los Angeles, a MSP peer group that focuses on continuing education for MSP’s and IT professionals.  Twitter: @DCGCloud