Learn About the NIST Cyber Security Framework (Part 1)
As the nation experiences more frequent Cyber Security events, like the SolarWinds and Colonial Pipeline attacks, we need to do everything we can to protect our businesses and the valuable data they manage. Over the last decade, the National Institute of Standards of Technology (NIST), part of the US Department of Commerce, has taken a leadership role in this effort by developing “The Framework,” a three-part system to help businesses and other organizations better manage and reduce their Cyber Security risks. The Framework’s three components include The Core, Implementation Tiers, and Profiles. Together, they provide a common language and best practices that can be used to improve the efficiency and effectiveness of Cyber Security efforts.
The first of the three components, The Core, is structured around the five key levers of Cyber Security: Identify, Protect, Detect, Respond, and Recover. We’ve touched on these five functions briefly in past posts and they are an incredibly important part of managing Cyber Security maturity. To give them the attention they deserve, we decided to create a three-part blog series to break down these functions into actionable information. This post, Part One of the series, will take a deep dive into the first two sections of The Core’s Protect Function:
- Identity Management, Authentication, and Access Control
- Awareness & Training
The next posts will get into Data Security, Information Protection Processes & Procedures, Maintenance, and Protective Technology.
Reach Out To a Security Expert
If you’d like to make sure you’re taking the appropriate security precautions,
please reach out using the button below!
Identity Management, Authentication, and Access Control
The first part of Protecting against Cyber Security breaches is Identity Management, Authentication, and Access Control. That basically means securing data by controlling and limiting the number of people who can see or download it. At its foundation lies the concept of using a unique identifier to access both digital and physical spaces. This allows a company to control and monitor every employee and visitor who has access to the workplace. And it’s not just about usernames and passwords. These concepts extend into the physical world as well. Surveillance as well as lock-and-key solutions should be employed throughout the facility, with regular evaluations to check for blind spots or substandard control.
Physical Cyber Security Control
In its own way, COVID has helped form better habits in terms of physical security because management is required to exercise tight control over any employees or visitors entering buildings. Those who do enter have to leave their name and provide a reason for being there. While this still isn’t quite best-in-class on its own, it’s a step toward tighter scrutiny of who enters the building and when they enter it. When we all get back to our normal lives, we need to keep up these new standards of control so that we can track who has been in the building and why. Solutions like Smart Cameras with Object Detection in high traffic areas can substantially increase physical security control.
Digital Cyber Security Control
This same approach should be extended to the digital space, where “entry” is constantly guarded by strong control measures. Onboarding and offboarding policies need to be reviewed and followed so that new employees, or those changing positions, only get access to what they need. This is called Least Privilege Access. We’ve also discussed this idea in the past. Likewise, former employees should lose all access immediately. You wouldn’t believe how often organizations forget to remove users’ access to email accounts or internal portals when they leave the company. This leaves them wide open to breaches by disgruntled former employees. And when employees need to work remotely, access should be carefully safeguarded with strong passwords, Multi Factor Authentication, and Virtual Private Networks.
Identity Management, Authentication, and Access Control Audit Questions
Macro Connect’s Cyber Security Audit is a pillar of our Cyber Security service offering. It is an exhaustive review that follows the NIST Framework in assessing any potential risks for a business or other organization. To give you an idea of how it works, we’ve included a few actual examples from the Audit:
Example Question 1: Are building access logs and video footage retained for 30+ days?
This may seem like a pretty trivial question, but crime can go undetected for several weeks before anyone in the office notices that property has been damaged or that information has been stolen or corrupted. By making sure security footage is stored for at least 30 days, businesses can help make sure these crimes are caught on video.
Example Question 2: Is there a standard process for distribution of initial passwords such that the user ID and password are either encrypted or communicated separately?
Often, new employees receive their user ID/password on either an email thread, or on the new hire form/paper. This is not secure. All usernames and passwords should be communicated verbally or in an encrypted way to ensure the information does not fall into the wrong hands. It’s too easy for a piece of paper to end up in the trash where prying eyes can find it or for an unencrypted email to be intercepted.
Example Question 3: Are accounts auto disabled after 90 days of inactivity?
User accounts should be disabled at the end of day of an employee’s final day. But if an account slips through the cracks and is not disabled, having a policy to auto-disable after 90 days will ensure the account is not active for a long period of time. And even for current employees, an unmonitored account is a loose end that could lead to problems. If someone hasn’t used an account for 3 months, they don’t need it. It’s easy to re-open if the need arises in the future.
Awareness & Training
The second part of Protecting against Cyber Security events is Awareness and Training. This is about building up a Security Savvy Culture, where you build up your employees as a security asset instead of a liability. Social engineering and phishing attacks necessitate constant vigilance and education so that employees can spot the latest tactics used by cyber criminals. Inky, which helps identify risky emails, and usecure, a comprehensive training program, are key tenants of our TotalSecure Suite of Cyber Security services. We’ve shared great detail on these in a recent post, but we wanted to take another look, with a few more examples from our Audit.
Awareness & Training Audit Questions
The Awareness and Training part of Cyber Security’s Protect function are equally important to identity management, authentication, and access control. Below are a few more example questions to help give you an idea of the rigor involved in our Cyber Security audit. We leave no stone unturned because criminals will try to exploit any gap in your protection.
Example Question 1: Is proactive information security training provided to staff on a regular basis?
According to the most recent data, 95% of attacks on a network come from human error. Keeping staff up-to-date on the latest security breaches and attack techniques will help reduce the chance of a staff member falling for an email phishing scam or another type of scam. This question is also one regularly asked by an insurance provider to determine how to adjust your premiums, where the minimum acceptable standard is quarterly training for the team.
Example Question 2: Do policies exist around the use of email for transmitting sensitive data?
Email should not be used to transmit sensitive information unless it is encrypted. Technologies exist now to enforce encryption on messages with certain types of content, but policies and training about the risks of sending sensitive information in emails is still an important step. You could have the best encryption tools available, but if employees don’t know how to use them or don’t understand why they’re important, you might as well not have the tools in the first place.
Example Question 3: Are phishing attacks simulated and measured to determine potential exposure on at least an annual basis?
This isn’t about tricking people or making them look bad. This is about identifying the real security gaps and helping people improve. Phishing simulations can reveal weak points in the staff that can be addressed with direct training. They can also serve as a reminder if they are done often enough, keeping the topic on their radars so that they can be on the look-out for these types of schemes.
Just the Tip of the Cyber Security Iceberg
As we mentioned, Cyber Security is a big topic and is growing in rigor and complexity all the time. We hope that this first post in our new series has helped break it down to make it useful and applicable to your business. Over the next couple months, we’ll have more posts that get into other areas of the Protect function, with more example questions so that you can see what we do to keep you safe.
Taking The First Step
Macro Connect’s team of experienced IT professionals can help keep your business or organization safe from the threat of cyber security breaches. Our comprehensive Audit and TotalSecure offerings address the most common Cyber Security issues at the most common entry points. If you want to conduct an Audit or learn more about TotalSecure, or just talk about why we think Cyber Security needs so much attention, give us a call. Our expert team is standing by and excited to help you better understand the world of Cyber Security. To get started, reach out and schedule a strategy appointment with one of our Client Solutions experts today!