Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
3/5/2015
09:50 AM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

How Secure Are You?

The NIST Cybersecurity Framework can help you understand your risks.

Are you secure? Unfortunately, there is no way to prove that no one can breach your security. You can be compliant with any number of different regulations and frameworks and still be caught by some new attack or unanticipated vulnerability. That is one reason I like the Framework for Improving Critical Infrastructure Cybersecurity, released last year by the National Institute of Standards and Technology (NIST).

This security framework is different from other security regulations and frameworks because it is a process- and risk-management tool, not a static checklist or set of compliance requirements. Over the past year, we ran a pilot project with this framework in the Intel IT department to see how it works in the real world and how it compares to our existing security posture and processes. One of the most valuable lessons learned was how the framework improved visibility and facilitated discussions about risk throughout all levels of the company. Using the framework, we developed a heat map of our risk scores in several categories under the five major functions: identify, protect, detect, respond, and recover. Our CISO and the core security team established the desired target scores and their evaluation of the current scores in each area.

Then, without revealing the targets or the core team’s numbers, we asked several subject-matter experts throughout the company to score their own worksheets. Comparing these worksheets identified key issues for discussion, including a large gap between core team and SME scores, education and visibility issues, and a positive or negative gap between current and target numbers, indicating areas of under or overinvestment. Categories with a low score were expanded into subcategories (e.g. computing assets expanded to laptops, tablets, mobile, servers, storage, and network) to find the specific areas in need of improvement.  

The five functions emphasized to everyone that security is more than detect and protect. Identifying data and tasks that require protection helped us highlight areas that needed further assessment. Developing the target scores supported better informed discussions on risk tolerance. The respond and recover functions underlined the need to be prepared to act quickly in the event of a breach to contain the damage and inform those affected. And the whole process enhanced our communications by harmonizing our language and terminology and helping us to recognize areas of difference and disconnect.

Our experience with this framework has been very positive, and we plan to continue to use it throughout Intel and with our suppliers and partners. I would encourage any size organization to evaluate and implement it also. When you do, we have a few suggestions to share from our initial project:

  • Do it yourself. This is a process for discovery and discussion, not a checklist or assessment that can be done by a consultant.
  • Start small and easy.  It’s best to start with a small group that is comfortable with at least some of the language and technology, not across the whole organization.
  • Customize for you. This is not a one-size-fits-all framework. Tailor the components for your business and technology environment.
  • Work with decision makers. Risk management is not a static process, and it touches all levels of the organization. Engage them early and continually.

This framework began with collaboration between government, industry, and non-governmental organizations. Our best bet for better security is to continue that approach, protecting privacy and civil liberty, while promoting innovation and the use of the Internet for global economic development.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11997
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
CVE-2020-27266
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
CVE-2020-27268
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
CVE-2020-27269
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
CVE-2020-28707
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...