Congress passed the Cybersecurity Enhancement Act in 2014 as it was becoming increasingly clear that cyber threats were growing in severity and impact. One of the provisions in the law empaneled the National Institute of Standards and Technology (NIST) to develop a set of guidelines in the form of recommended controls and best practices to improve an organization’s cyber resiliency and manage risk.
Officially known as NIST 800-53, the first version of the framework was published in 2014 and was focused on public and private organizations responsible for critical infrastructure such as the power grid, air traffic control, etc. Over time, NIST has been very inclusive in evolving the framework, actively soliciting and incorporating feedback from a wide variety of organizations across many industries, both from the US and internationally.
NIST has been so successful that many of their international government counterparts have incorporated the framework into their own cyber policies and to accommodate other security control frameworks, the have mapped 800-53 to the ISO and COBIT standards. The result is that the latest version published in 2018 is now inclusive enough that its adoption is rapidly growing across the globe.
The framework is organized in five categories under which individual controls are grouped. They are:
- Identify. Know your risk—key assets and information and where they might be vulnerable.
- Protect. Mitigate that risk with people, process and technology. Consider adding cyber insurance in case an attack is successful. The Marsh Cyber Catalyst program is a great way to identify security products that reduce risk.
- Detect. Acknowledge that no defense is perfect, so continuously monitor for evidence of compromise.
- Respond. Once an attack is detected, take action before damage is done.
- Recover. Return to an operational state in the event an attack is successful.
With over 100 individual prescribed outcomes, the NIST framework is a comprehensive “benchmark” against which an organization can map their cyber defenses, identify gaps and areas of investment and track their progress. It can also be used to focus on specific cyber security uses cases or threats such as GDPR, PCI compliance or threats such as ransomware.
With the recent uptick in ransomware, let’s use it as a test case and take a horizontal “slice” through the NIST framework which might look something like this:
- Identify. Inventory ransomware targets, that is, your sensitive data and databases (and their backup copies) and do periodic vulnerability scans on their servers and associated applications.
- Protect. This can range from protecting the firmware in the servers to restricting access to only those individuals and devices that have a “need to know” so that if a compromise occurs, the attacker does not have free rein across the network.
- Detect. Given that ransomware often enters via spearfishing and coopts legitimate credentials, monitoring for changes in behavior that is often indicative of a compromise may be the only way to spot an attack.
- Respond. Ransomware may take hours, days, weeks or even months to progress through its kill chain stages, so if an attack is detected, quick action to quarantine or remove a device may prevent serious damage.
- Recover. Finally, despite all the careful planning, ransomware does successfully execute. This is where having a recent comprehensive backup and a recovery plan is critical. Be sure to carefully protect your backup resources because an attacker knows that they won’t get paid if you can recover.
Organizations are now being more deliberate and organized in approaching cyber defense. The NIST cyber security framework is an effective method of identifying gaps, prioritizing investments, and importantly, communicating the state of cyber readiness to both technical and non-technical stakeholders.
