Tag Archive for: nist
Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3)
This is the Part 2 of a 3-part blog on how to use the NIST cybersecurity framework without getting bogged down and lost in the minutia of the specification documents. Part 1 can be found here, and we recommend you read this piece first if you have not already done so.
Let’s recall the 5 core functions of NIST.
In Part 1 of this blog, we discussed the Identify function and how it is foundational to the NIST cybersecurity Framework. We saw how implementing Identify enables clear communication and decision-making within the cybersecurity team and in the board room.
We also discussed what you need to do in order to gain increased maturity in your implementation of Identify. We defined some KPIs that you can use everyday to track progress in the maturity level of your Identify capabilities.
In this 2nd part, we will discuss how to implement the Protect and Detect functions of the NIST cybersecurity framework.
PROTECT
“The key to protecting the enterprise is to be proactive in managing your vulnerabilities and risk items.”
Your 1st line of defense against cyberattacks consists of the following elements:
- Firewalls, IPSes, WAFs
- VPN and BeyondCorp
- Endpoint security
- Continuous vulnerability management
Firewalls allow you to implement a set of rules that restrict outside access to your internal network resources. In the old days all you needed to worry about was firewalls at the connection points between your various sites and the Internet. Today, you also need to worry about deploying and appropriately configuring firewalls at your cloud-based data centers (e.g., AWS VPCs), and for each mobile endpoint.
Intrusion Protection Systems (IPSes) inspect network traffic and block malicious network traffic, and may be deployed in addition to Firewalls or as part of a consolidated product. Web Application Firewalls are specialized systems designed to protect your public web-based applications.
Firewalls, IPSes and WAFs help you “lock down” access to your distributed enterprise. In order to support authorized users to securely access your network, Virtual Private Network (VPN) systems can be implemented. Some organizations, e.g., Google, have moved away from VPNs by…
More Details on the NIST SP800-53 Revision 5 Finalized Security and Privacy Framework
The National Institute of Security and Technology (NIST), recently released Revision 5 of the SP800-53 Security and Privacy Framework, on September 23, 2020. It is an important update, since SP800-53 hasn’t been updated since Revision 4 was released in April of 2013. While much of the press around this update has been around the privacy controls that have been updated, there are two important new additions to the framework in the area of application security that are important for enterprises and Federal government organizations to understand. Two new security items added to the framework, are in:
- SI-7 Software, Firmware and Information Integrity – Section 17: Runtime Application Self-Protection
- SA-11 Developer Testing and Evaluation – Section 9: Interactive Application Security Testing.
As indicated by the abstract, “this publication provides security and privacy control baselines for the Federal Government.” In addition, it is estimated anywhere from 30 to 50 percent of enterprises also use this framework for their security architecture. NIST calls this an historic update to its security and privacy controls catalog.
These 2 updates give a new boost to the importance of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools. With these updates, application security gets new focus as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched. If you are wondering how this new framework might affect you or your organization, here’s a recommendation from a recent article in the National Law Review:
Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.
In this document we will be focusing on the…
NIST seeks industry feedback as Internet of Things cybersecurity standards take shape – Federal News Network
NIST seeks industry feedback as Internet of Things cybersecurity standards take shape Federal News Network
The internet of things covers a wide range of devices, from smart speakers to medical devices, but the National Institute of Standards and Technology is looking …