Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

9/30/2020
04:05 PM
By Julian Hall, Freelance Journalist and Copywriter, Textual Healing
By Julian Hall, Freelance Journalist and Copywriter, Textual Healing
News
100%
0%

A Guide to the NIST Cybersecurity Framework

With cybersecurity threats growing exponentially, it has never been more important to put together an efficient cyber-risk management policy, and NIST's framework can help.

Just before lockdown it was reported that 46% of UK businesses had suffered cyber attacks in 2019, up 9% from 2018. Although businesses had plenty more to worry about in the intervening months with the COVID-19 pandemic, cybersecurity is still uppermost in the minds of many CEOs. One of the main ways in which businesses measure their preparedness in managing cyber-related security risks is to benchmark themselves against the Cybersecurity Framework developed by the NIST (National Institute of Standards and Technology, U.S. Department of Commerce). With cybersecurity threats growing exponentially, it has never been more important to put together an efficient cyber-risk management policy – the NIST Framework can help businesses do so.

Related Content:

How Does Your Cyber Resilience Measure Up?

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

What Is NIST?
Founded in 1901, the National Institute of Standards and Technology (NIST) is a non-regulatory US government agency responsible for driving innovation and competitiveness through technology and metrics.

NIST measurements support a range of technologies, "from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair, up to earthquake-resistant skyscrapers and global communication networks."

NIST also helps federal agencies meet the requirements of FISMA – The Federal Information Security Management Act, which relates to the protection of government information and operation assets against natural or man-made threats.

With industry stakeholders, NIST has also created the Cybersecurity Framework (sometimes referred to as the NIST Framework) to help businesses manage cybersecurity and reduce their cyber risk. The stakeholders are described as "U.S. private-sector owners and operators of critical infrastructure," while its user base includes "communities and organizations across the globe."

The Cybersecurity Framework
Created and ratified by the US Congress in 2014, the Cybersecurity Framework is used by over 30% of US organisations and was projected to reach 50% this year. Among those organisations are JP Morgan Chase, Microsoft, Boeing and Intel. Meanwhile, overseas organisations using the framework include the Bank of England, Nippon Telegraph and Telephone Corporation, and the Ontario Energy Board.

The aim of the framework is to:

  • integrate industry standards and best practices to help organisations and businesses manage their cybersecurity risks;
  • provide a common language that allows staff to develop a shared understanding of their cybersecurity risks;
  • give guidance on how to reduce these risks;
  • give advice on how to respond and recover from cybersecurity attacks and learn from those incidents.

Although voluntary and not intended to be an exhaustive checklist, the framework covers five critical areas of cybersecurity:

  • Identify: looking at current data use and then evaluating and identifying risk;
  • Protect: the elements that help protect a business;
  • Detect: being aware of problems as they happen;
  • Respond: the bases needing to be covered to make an adequate response to a problem;
  • Recover: the steps needed to make an effective recovery of lost data.

All of these elements make up the "Core" element of the framework, represented in a simplified form (without subcategories) here:

The Core's role is to highlight desired cybersecurity outcomes and show how to manage risks in a way that complements existing processes.

The framework then directs the user to Implementation Tiers – these help organisations decide on the rigour of their cybersecurity measures. It's very much up to the individual organisation to decide what is appropriate, within existing guidelines of course, such as GDPR in Europe.

NIST outlines the Tiers as follows:

  • Tier 1: Partial – cybersecurity practices are adequate for the cybersecurity risks experienced.
  • Tier 2: Risk-Informed – the company/organisation is aware of some risks and is planning how to respond to them.
  • Tier 3: Repeatable – the company/organisation has clearly defined and regularly repeatable cybersecurity processes.
  • Tier 4: Adaptive – the company/organisation is proactively instigating cybersecurity measures.

Finally, NIST’s CFS results in Framework Profiles, used to prioritise what actions are taken.

The NIST website describes the profile as "an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core."

NIST advises contrasting a "current" and a "target" profile to identify ways of improving cybersecurity. Though emphasising the voluntary status of the framework, and that there is "no 'right' or 'wrong' way to do it," it is suggested to use the subcategories of the Core to arrive at these profiles.

Here's an example, from NIST's website, of some of the subcategories that jump off from the Core:

A case study of CSF implementation can be found here, as well as a list on the CSF's own site, here.

The 2018 Cybersecurity Framework Update
Four years after it was created, NIST's Cybersecurity Framework was updated in 2018, based on feedback from the public.

Version 1.1 included updates on:

  • authentication and identity;
  • self-assessing cybersecurity risk;
  • managing cybersecurity within the supply chain;
  • vulnerability disclosure.

Commenting on the changes, the CSF's Program Manager, Matt Barrett, said: "This update refines, clarifies and enhances Version 1.0. It is still flexible to meet an individual organization's business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things."

If you want to see what kinds of issues might shape future versions of the framework, you can visit CSF's "Roadmap" page.

Meanwhile, you can also view an up-to-date timeline of CSF news.

UK Equivalents of the Cybersecurity Framework
While other countries have directly incorporated the CSF into their legislation, the UK has not officially done so. Instead, there are a number of pieces of legislation that replicate the aims of the CSF. Although these are not directly aimed at, for example, SMEs and startups, they contain examples of best practice similar to the NIST guidelines that are universally useful in building a risk management strategy.

The existing legislation includes:

  • The Minimum Cyber Security Standard (MCSS). Published in June 2018 and applicable to UK government departments, the MCSS is very close to the CSF.
  • Health and safety executive (HSE) operational guidance on Industrial Automation and Control Systems (IACS). Published in 2017 and aimed at preventing accidents resulting from cybersecurity breaches, this legislation primarily impacts electricity providers and distributors and businesses involved in the manufacture, use or storage of hazardous and explosive chemicals and microbiological substances.
  • Networks and Information Systems (NIS) directive. Introduced by the EU in July of 2016 for countries to benchmark against, the NIS Directive is aimed at critical infrastructure such as businesses within the sectors of oil, gas, energy, transportation, banking, water, food and telecommunications, and also companies providing an online service or platform, such as cloud computing or search facilities.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

Julian Hall is a freelance journalist and copywriter, Textual Healing.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.