The NIST Cyber Security Framework is a comprehensive guide that outlines best practices for keeping data safe. To understand it, you need to break it down piece by piece. The first of three components in this Framework is called The Core and that’s what this blog series is focusing on. The Core is further subdivided into the five key Functions of Cyber Security: Identify, Protect, Detect, Respond, and Recover. Our last blog post took a deep dive into the Protect Function, with particular emphasis on the two categories of Identity/Access Management and Awareness/Training. In this post, we’re going to explore two of the other key functions of The Core which are the Identify and Detect functions.

Identifying Cyber Security threats is largely about the preparation underlying your security strategy and Detect deals with catching issues as they happen. Both are essential to building a strong defense against Cyber Crime and effectively protecting your business or organization’s data.

Identify: Understanding Your Risks and Where They Come From

The Identity Function of Cyber Security focuses on understanding how systems, people, assets, data, and capabilities present risk to your organization. This involves a careful study of all elements of a business because everything in your environment creates an associated risk. Systems have both technical and physical risks, for example unlocked laptops and open data ports. User behavior creates unique risks, for example by clicking phishing links or trusting the wrong person with sensitive information. Carefully documenting these risks is the first step towards protecting yourself against them. The NIST’s Identity Function provides a list of categories to focus your internal investigations:

• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
• Supply Chain Risk Management

It all sounds a little theoretical so, like last time, we’re going to dive deep into a couple of these categories to help you understand how they apply to the real world.

Asset Management

Company assets like physical devices, communication pathways, and external information systems all present their own unique kinds of risk. Therefore, they all need to be assessed and managed in a way that minimizes that risk. Do you have a closely managed inventory list of all laptops, and company cell phones? If not, the physical location of those devices, and the people who have access to them are an inherent risk. When you track them, you can better control who can access potentially sensitive information. Do you have a roster of external technology partners along with details about the beginning and end of your contract and information about their own Cyber Security history and efforts? Your partners’ security efforts should consistently be evaluated, because a breach to their systems can become a vulnerability to even the best laid internal security efforts.

As you assess the risk presented by each of your company’s assets, whether they’re physical or digital, keep in mind that the things people don’t pay attention to often create the greatest risks. It’s easy to break in if no one’s minding the back door.

Governance

Another important category within the Identity Function of Cyber Security is Governance. In many businesses, especially small businesses, data management practices are a little ad hoc. Sometimes you use System A. Other times you use a System B. Sometimes you save files on your laptop. Sometimes you save them on your cloud account. Sometimes you use a VPN. Sometimes you just use public WiFi.

Inconsistency is an Achilles heel and creates a major opportunity for would-be criminals. That is why we recommend that businesses adopt official policies that assign responsibility and dictate protocols that are role appropriate. There should also be consequences for breaking those protocols. This level of formality lets the entire company know how seriously you take Cyber Security and encourages adherence and accountability. And as we’ve discussed in previous posts, a culture of personal accountability is the foundation of effective Cyber Security.

Identify Audit Questions

Macro Connect’s Cyber Security Audit is a pillar of our Cyber Security service offering. It is an exhaustive review that follows the NIST Framework in assessing any potential risks for a business or other organization. To give you an idea of how it works for the Identity function, we’ve included a few actual examples from the Audit:

Question 1: Is there a system or document that shows all hardware and software owned by the organization?

You want to have a detailed list of every device with access to company information. This list should include information about who is responsible for the device, what level of data they have access to, where they keep the device, and what software is installed on the device. For your software, owned or licensed, you should keep track of the publisher, the date you purchased the software, any license expiration dates, and their data security policies. Once you end a relationship with a software provider, make sure your data is either destroyed or carefully archived so that it’s not sitting around anywhere unmonitored.

Example Question 2: Are there documented consequences for non-compliance with the policies?

Enforcing a policy is only effective if there are real consequences for breaking it. Since Cyber Security is critical to the health and success of every business, you should have documented consequences for violating your policies. Of course, the severity of the punishment should fit the crime, but there are some data security violations that merit termination. If you write it down and have employees sign it, you’ll create better, longer lasting behavior that protects your company’s data.

Example Question 3: Are clear contracts in place with all vendors who have access to the information systems? Do they require security safeguards?

It’s surprising that, while many employers have strict digital policies for their own staff, they completely forget to regulate and control the way external vendors interact with their company data. Everyone you work with, from a cloud data storage company to your office cleaning company, should have a contract that outlines their responsibilities when it comes to protecting your data. If they’re not willing to keep your sensitive information safe, you shouldn’t work with them.

Detect: Catch Intruders In The Act

The Detect function of Cyber Security requires a vigilant eye because its purpose is to quickly catch breaches and other Cyber Security events when they do happen. We all like to think that we can protect against any threat, but they can happen to anyone, and over a long enough time line, will happen. Even more reason to have a strong Detection strategy to back up your Identification and Protection work. There are three main categories within the Detect Function: Anomalies and Events, Continuous security Monitoring, and Detection Processes, but we’re going to focus on the Anomalies and Events.

Detecting Anomalies & Events

Before you can detect an anomaly, you need to have a baseline understanding of your network options. This includes the expected flow of data so that you know what looks normal. Kind of like a heartbeat and blood pressure. If you know your normal, healthy metrics, you can better recognize a murmur or some sort of fibrillation. After establishing that baseline, your network managers can flag potential threats that deviate from your expectations and analyze them to understand if it’s really a threat or just an unexpected event. The faster this analysis can happen, the faster you can respond and prevent or mitigate damage.

Detect Audit Questions

The Detect Function of Cyber Security is just as important as the Identify function. Below are a few example questions to help give you an idea of the rigor involved in our Cyber Security audit. We leave no stone unturned because criminals will try to exploit any gap in your protection.

Question 1: Is remote access restricted based on role?

We’ve talked about the concept of Least Access before. It’s especially important for employees accessing your network remotely. When someone in the office accesses files they don’t need to see, it’s just an overly curious employee. You have a good idea of who is in the building. But when someone outside the office accesses files they shouldn’t see, it’s much harder to know if they’re legit or if it’s an attack.

Example Question 2: Are strong password management policies in place? (Complexity, can’t reuse last four passwords, max age 90 days, changes not allowed more than 1 time per day, password encryption not reversible)

Passwords are only as good as their complexity. Password1 is pretty easy and hackers have remarkably complex systems to guess and test passwords at rapid speeds with minimal effort. They can research you online, enter some publicly available data, and then run thousands of permutations to guess what it is. Think using your mother’s maiden name and your anniversary is safe? Most of that information is publicly available and a computer can test every conceivable combination in seconds. A true strong password is long, includes a wide variety of character types, and is changed frequently.

Example Question 3: Is access to the server room limited to personnel who require such permissions?

This one is pretty obvious. Jeff from HR doesn’t need to get into the server room. Not only could he accidentally mess up a system setting, but he could unintentionally upload something nefarious. Only professional network engineers and computer support personnel have any business in the server room. Everyone else should be locked out.

There’s Always More To Learn About Cyber Security

As we mentioned, Cyber Security is a big topic and is growing in rigor and complexity each day. We hope that this second post in our series has helped break it down to make it useful and applicable to your business. Over the next couple months, we’ll have more posts that get into other areas of the NIST framework, with more example questions so that you can see what we do to keep you safe.

Taking The First Step

Macro Connect’s team of experienced IT professionals can help keep your business or organization safe from the threat of cyber security breaches. Our comprehensive Audit and TotalSecure offerings address the most common Cyber Security issues at the most common entry points. If you want to conduct an Audit or learn more about TotalSecure, or just talk about why we think Cyber Security needs so much attention, give us a call. Our expert team is standing by and excited to help you better understand the world of Cyber Security. To get started, reach out and schedule a strategy appointment with one of our Client Solutions experts today!