NIST Cybersecurity Framework: Protect
National Institute of Standards and Technology (NIST) maintains one of the most widely adopted cybersecurity frameworks for critical infrastructure and organisations in many other sectors. NIST Cybersecurity Framework is an excellent system to base the creation of policies and procedures on for the purposes of managing risk, security hardening networks, and incident response. There’s a lot of content in the Framework, which was designed to cover a lot of ground. Fortunately, the most important ideas in the Framework can be organised according to its five functions – identify, protect, detect, respond, and recover. We will tell you what you should know about all five functions.
Previously, in our blog, we covered the first function, ‘Identify’. The identify function is all about determining your organisation’s data assets, understanding how your business functions affect your operations and supply chain, and conducting thorough risk analysis and risk management. Now we’re onto the next function, 'Protect'.
Protect
Now that we know what we have and why it’s important, we need to figure out how to develop policies and procedures to protect it all. In NIST’s words, the protect function is about how to “develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.” Each of the five functions builds upon the previous function. So now we must prepare our defences and make sure they’re effective. Let’s get into what needs to be done, shall we?
Access control
Access control is one of the most important tools in cybersecurity. It’s all about making sure that only authorised parties have access to data assets, buildings, user identities, and machine identities. There are lots of different ways to implement access control, including account credentials, cryptographic keys, and locked doors.
There are also different methodologies for implementing access control. The principle of least privilege should guide all these methodologies. The principle of least privilege is about granting users access only to what they absolutely need to do their jobs, and no more. The more access is limited the more effective security can be, but a balance must be found for the sake of productivity, functionality, and usability.
Role based access control manages access according to a user’s role in the company or organisation. One of the simplest ways to do this is to create user groups for each of the roles in your company’s network and put individual user accounts into these groups accordingly. For instance, there could be one group for your accountants and another group for your network administrators. Mandatory access control is a very strict system in which users are unable to grant permissions to other users, even if they’re the author of a file. Access control is designed and deployed from a centralised authority. Discretionary access control is a system that can be very flexible. For instance, a hierarchy of files may be accessed based on certain user permissions. In addition to these methodologies, there are many others.
There are many different technologies and philosophies that can be used to implement access control according to your organisation’s needs. The NIST Cybersecurity Framework considers both computerised access control and physical access control (doors, locks, security cameras) to be very important. In this task of the protect function, you must make sure that your organisation’s access control policies and procedures are effective for making sure that only authorised parties have access to your various resources.
Awareness and training
The human element is a major factor in cybersecurity. Many security vulnerabilities are caused by human error. Most cyber attacks involve social engineering – fooling human beings, at some point or another. Yes, that includes advanced persistent threats. Also, the people in your organisation are the ones who must both enforce and abide by security policies.
So the awareness and training task is crucial. Your CISO and security stakeholders must make sure that security training programmes are effective. They should also be frequent, as people learn best with some repetition and reminders. All the people in your organisation should have at least some security training, even receptionists and janitors.
Data security
Now that we have systems for assuring that only authorised parties have access to your organisation’s buildings and networks and we have educated our people, we’re ready for the next task. That’s to make sure that all of your organisation’s data is handled according to your business’ risk strategy (designed in the previous identify function). The CIA Triad of cybersecurity stands for confidentiality, integrity, and availability. So, we must make sure that only authorised parties have access to data, which is confidentiality. We must make sure that data isn’t altered without authorisation, integrity. Finally, we must make sure that data is there when needed, availability.
Information protection processes and procedures
Do you remember the governance task of the identify function? It’s about understanding your organisation’s various security policies for for managing and monitoring regulatory, legal, risk, environmental and operational requirements. This task is about maintaining and leveraging security policies, processes and procedures to adequately protect critical data and the systems that support it.
While you’re here, make sure your organisation has incident response and business continuity procedures. Be prepared for anything!
Bruce Schneier famously says, “security is a process, not a product.” Security isn’t something you set and then forget. Security is a continuous process, and this task of the protect function reflects that.
Check your patch management procedures. Review all of your organisation’s security policies periodically. You should also engage in regular security testing, which can include having a red team and/or penetration testing.
Protective technology
Your organisation’s networks implement a lot of different protective technologies. These can include, but aren’t limited to firewalls, intrusion detection and prevention systems, and thorough logging of all of your networking appliances. In this task your organisation and security stakeholders must assure that you have policies and procedures for making sure all of these protective technologies work properly.
Protection is vital
The first function we covered in our blog series was ‘Identify’. Once you know what you have and what your priorities are, you can move onto ‘Protect’, which is all about defending what you have.
Defensive security is very important, and you must make sure your organisation has cybersecurity arrangements in place which are effective to those ends. Now you’re ready for the next function, ‘Detect’. Stay tuned… …