Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
3/5/2015
09:50 AM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

How Secure Are You?

The NIST Cybersecurity Framework can help you understand your risks.

Are you secure? Unfortunately, there is no way to prove that no one can breach your security. You can be compliant with any number of different regulations and frameworks and still be caught by some new attack or unanticipated vulnerability. That is one reason I like the Framework for Improving Critical Infrastructure Cybersecurity, released last year by the National Institute of Standards and Technology (NIST).

This security framework is different from other security regulations and frameworks because it is a process- and risk-management tool, not a static checklist or set of compliance requirements. Over the past year, we ran a pilot project with this framework in the Intel IT department to see how it works in the real world and how it compares to our existing security posture and processes. One of the most valuable lessons learned was how the framework improved visibility and facilitated discussions about risk throughout all levels of the company. Using the framework, we developed a heat map of our risk scores in several categories under the five major functions: identify, protect, detect, respond, and recover. Our CISO and the core security team established the desired target scores and their evaluation of the current scores in each area.

Then, without revealing the targets or the core team’s numbers, we asked several subject-matter experts throughout the company to score their own worksheets. Comparing these worksheets identified key issues for discussion, including a large gap between core team and SME scores, education and visibility issues, and a positive or negative gap between current and target numbers, indicating areas of under or overinvestment. Categories with a low score were expanded into subcategories (e.g. computing assets expanded to laptops, tablets, mobile, servers, storage, and network) to find the specific areas in need of improvement.  

The five functions emphasized to everyone that security is more than detect and protect. Identifying data and tasks that require protection helped us highlight areas that needed further assessment. Developing the target scores supported better informed discussions on risk tolerance. The respond and recover functions underlined the need to be prepared to act quickly in the event of a breach to contain the damage and inform those affected. And the whole process enhanced our communications by harmonizing our language and terminology and helping us to recognize areas of difference and disconnect.

Our experience with this framework has been very positive, and we plan to continue to use it throughout Intel and with our suppliers and partners. I would encourage any size organization to evaluate and implement it also. When you do, we have a few suggestions to share from our initial project:

  • Do it yourself. This is a process for discovery and discussion, not a checklist or assessment that can be done by a consultant.
  • Start small and easy.  It’s best to start with a small group that is comfortable with at least some of the language and technology, not across the whole organization.
  • Customize for you. This is not a one-size-fits-all framework. Tailor the components for your business and technology environment.
  • Work with decision makers. Risk management is not a static process, and it touches all levels of the organization. Engage them early and continually.

This framework began with collaboration between government, industry, and non-governmental organizations. Our best bet for better security is to continue that approach, protecting privacy and civil liberty, while promoting innovation and the use of the Internet for global economic development.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...