NIST Cybersecurity Framework: Second, Build a Moat

By: Josh Mayfield | 7/10/2018

My last post guided you through the first pillar of the NIST Cybersecurity Framework (CSF): Identify. Here, we’ll talk through the steps to fulfill the second pillar of NIST CSF: Protect. But first, let’s consider a small, subtle nuance in our language.

“Safe” is an adjective, not a verb. Although everyone wants to describe their data, devices, apps, and users as safe, the label is only true when a human take deliberate steps to realize it. Like when we say something is “ready” or “finished” we are describing something that has necessarily gone through a state change. Someone must act to ensure anything ready, finished, or safe.

This is what makes the NIST CSF different from a compliance checklist. NIST CSF centers around the actions needed to achieve the desired state: safe devices, safe data, safe apps, safe users. Let’s take a closer look at what IT and IT security teams can do to use the adjective more broadly and more often.

NIST CSF Pillar Two: Protect

Once we’ve completed our first step to identify and calibrate our resources and align them with our risk appetite and strategy, we can move our focus to protecting devices, data, apps, and users. The second law of thermodynamics tells us that everything in our universe goes from order to disorder, unless something (or someone) acts to reverse the drag of entropy. Protecting IT resources is no different. Without action, they will naturally lead to disorder, insecurity, and ultimately data loss.

Thankfully, the NIST CSF offers practical steps to protect data and prevent the law of entropy from pulling IT resources toward disorder.

[bctt tweet="Thankfully, the NIST CSF offers practical steps to protect data and prevent the law of entropy from pulling IT resources toward disorder. " username="absolutecorp joshuamayfield"]

They include:

  • Access control
  • User awareness and training
  • Data security
  • Protective technology

Here, we’ll take a look at access control and your users. The next post will examine data security and technology.

Access Control

NIST CSF states: “Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.”

To reach a point of data safety Utopia, we must control who, how, when, and in what circumstances access is granted.  This begins with managing the identities and credentials of those accessing the goods. Authentication techniques are built on trust and that trust is achieved when you provide one or more of the following:

  • Something you know (like a password)
  • Something you have (like a smart card or token)
  • Something you are (like biometrics, fingerprints, retinal scans)

But managing identities and credentials is only one aspect of access control. Everything happens in a context. That context is the physical and digital environment where resources are accessed by a trusted identity. NIST CSF references two contexts for access control: physical and remote. Physical contexts put the user in the same geospatial location as the resource, which needs to be managed and guided by the principle of ‘trust but verify’. Protection looks like cages in the data center, locked doors with limited access, and geofencing laptops to prevent changes to their intended location. By implementing physical access control, we are putting matter in place to guard IT resources—devices, data, and apps—from unauthorized access. This is a probability exercise. Just as barricades on a city street are not 100% successful at stopping vehicles taking a particular route, they do however lower the likelihood and frequency of traffic.

We’ll never reduce our risks to zero, but we can use this sub-goal of the NIST CSF to lower the frequency of access: authorized and unauthorized.

Today’s enterprise is boundless. We see a mobile workforce, cloud apps, heterogeneous devices, and collaboration with suppliers, partners, contractors, and other users of our valuable IT resources. Within this patchwork, NIST CSF provides the same guidance as with physical security. The difference is that instead of moving matter around in space—cages, fences, locked doors—we use bits and bytes to build a moat around our IT resources. NIST CSF’s popularity is rivaled by another IT security trend that is answering this requirement: zero trust. In a zero trust mindset, all users, devices, apps, workloads, endpoints, and networks are suspicious of one another. Without authentication happening at each moment, everything grinds to a halt. We’ll cover zero trust more in depth in a later post.

This ideal folds into the final piece of the NIST CSF Access Control provision, “Access permissions are managed, incorporating the principles of least privilege and separation of duties”. By restricting access to only those authorized within the appropriate context and even then, compressing access to the least privilege, you find yourself waking up doing zero trust without realizing it. It doesn’t have to be a total re-write of security architecture or an overhaul of security policies. All you have to do is adopt the principle: least privileged, separate duties.

When implementing these steps for access control, you’ll find that users are awoken to a fresh world and are disoriented by their new surroundings. This is why the next sub-goal of the Protect pillar is to educate those users so you get far-reaching compliance.

Awareness and Training

NIST CSF states: “The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.”

Now, it’s true that spoofing users with fake phishing scams can reveal who is most vulnerable to Nigerian despots looking to share their ill-gotten fortune, but it does little to educate those vulnerable users on the principles of cybersecurity. It’s old news that there is a cybersecurity skills shortage and that there is a 10% negative employment rate in IT security. However, when you look at the competency of the typical user, the skill level drops off a cliff. That is why user awareness and training is a critical part of the Protect pillar of the NIST CSF.

First, we must make sure users are informed about security practices, many of which they will experience directly when using IT resources. Programs include video tutorials, policy review and signature, and gamifying the process to ensure each user is fully aware of best practices and the unique security of their organization. If you are rolling out Duo or Okta Verify for two-factor authentication (2FA), you may want to consider pushing the app directly to devices enrolled.

The most effective and creative program I’ve seen is when an organization has a leaderboard broken up by cross-functional teams—sales, marketing, accounting, IT, engineering, etc.—vying for the top spot in a competition. Think of it as a tournament for your security training. Divide the teams up with representation from different departments, describe the rules of the game, entice everyone with a nifty grand prize, and let human nature take over.

Second, we come to training. Often, this becomes a program with dual-ownership between IT and human resources. With this tendency, it is only natural to slip into the pattern of less training after an employee’s onboarding. But cybersecurity is a skill and skills are developed just like a spoken language. It takes immersion to get to the level of a native-speaker, not rote memorization of parsing tables. If we’re going to fulfill the NIST CSF requirement for awareness and training, then we better make sure our training is continuous throughout the employee lifecycle. If we don’t, we will undermine our goal of universal compliance with security programs and data will be left exposed to the damaging aftermath.

No degree of awareness and training will be a panacea for data protection, we must implement security around those data to prevent their natural tendency to proliferate. The first two aspects of Protect pillar focus on identities: 1) how identities access IT resources and data, and 2) what knowledge is provided to those identities accessing IT resources and data.

In my next post, we’ll squeeze the aperture to examine security measures for the data we’re called to protect.

It's impossible to secure what you can't see. Only Absolute lets you continuously measure & improve using security best practices like NIST. Learn more about Absolute for security frameworks.





Financial Services