NIST Cyber security Framework

National Institute of Standards and Technology to improve critical infrastructure cyber security. The development of this framework was started with the intention of providing a cyber-security standard for United States national security, economy, public safety and health sector. As the framework is well documented and adaptive to other counties and organizations, NIST got recognized and implemented globally.The Cybersecurity Framework was created in response to Executive Order 13636, which aims to improve the security of the nation’s critical infrastructure from cyber attacks.While directed to “critical infrastructure” organizations, the Framework is a useful guide to any organization looking to improve their cyber security posture. A voluntary model which only the companies with the intention to protect their assets in an organized manner can follow if they want to. This implies that adopting to NIST is solely based on the decisions of the executives of an organization. One of the critical issues of the framework is that it needs a considerable amount of expenditure to make it up and running, since the framework development has initially created for large organizations, national company bodies and corporations. Considering NIST for a very small company or a start up may not be practical as the money factor will be an issue.

Every framework is about providing techniques and practices to manage, mitigate and avoid security risks that may affect an organization in various ways. NIST is a Risk Management framework which provides mechanisms and taxonomy for organizations to:

* Recount on their currently prevailing cyber security practices

* Set out their ambitions in the state for cyber security

* Identify opportunities for improvement via repeatable and continuous processes

* How to handle internal and external stakeholders about cybersecurity risks.

The document is divided into the framework core, the implementation tiers, and the framework profile. The framework core describes 5 functions of an information security program: identify, protect, detect, respond, and recover. 

1. Identify

A company needs to identify the assets and risks in every services that it offers. Risk identification can begin in understanding the interactions, management, and technology of every business processes. Below are some reference questions that can be used in the identification process:

 Is your company data sensitive?

Where do you store and use sensitive data?

What is the potential loss when services shut down due to security incidents?

Who have physical access to company information?

What will happen in a case of access abuse?

2. Protect

After understanding sensitive data, a company must protect them. Just like keeping your valuables inside a vault, companies must secure their informational asset. Some questions to be asked in Protection are:

What are the technologies that have been used or need to be used in protecting sensitive data?

Has right to access informational access been established?

 Is the management, awareness, and policies for information security has been established for all related parties?

3. Detect

Currently, cybercrime actors are quick to keep up with technological advancement and digitalization. Some TTP (tactics, techniques, and procedure) such as spear-phishing, zero-days vulnerabilities and social engineering are still effective methods of cybercrime. Therefore, companies need to develop an ability to detect TTP that is done both internally and externally. One of the method is to implement SIEM (Security Incident and Event Management) that is integrated with Threat Intelligence.

Below are questions as a guideline in the Detect function:

How to utilize the logs of various IT systems and infrastructure to alarm companies on potential intrusion or attacks?

How to detect global and regional threats of cyber-attack?

Is the company a potential target for attack?

Based on a report from Indonesia Security Incident Response Team on Internet Infrastructure Coordinator Center (ID-SIRTII/CC), more than 205 million cyber-attacks in Indonesia during January-November 2017. The highest attack is from malware, with 36,4 million activities.

From all detected malware activities, 37,72% are related to DOS, exploit (20,93%), trojan (18%), bad unknown (15%), and the rest are Adware, Shellcode, CnC, Miss Attack, Network Attack, Network Scan, and Web Application.

4. Respond

For some companies, attacks/intrusions are inevitable. Therefore, companies need to have the ability to respond to any attempt of attack or security breach. Some basic questions in the Respond function are:

Does your company have standards and procedures for incident management?

Does your company have communication plan for stakeholders in a case of security incidents?

Does your company log all incidents and use it as feedback in fixing and improving IT infrastructure and application?

5. Recover

The ability of a company to perform recovery on or after incidents can improve the level of trust toward the company and reduce the impact of potential loss. Imagine the damage when a system that manages millions of Rupiah are experiencing attack and corrupt the integrity of the system. The ability to restore data and run the system as usual is a key capability for every digital companies.

Some basic questions to ask in the Recover function are:

Does your company periodically perform backup and restore?

Is there any coordinating mechanism with related parties in a case of security incident?

What is the recovery strategy in a case of security incident?

NIST follows a simple flow where the executive level of an organization communicates the resources available, risk appetite, mission and the vision to the business/ process level. This level is responsible for the critical infrastructure. The process level then communicates and also collaborates with the operations level to identify the needs of the business and creates a profile.

The 4 tiers of NIST can be used to identify the level as a company. Whether there is no sense of security risk management within the organization or whether the organization is already adaptive of the risk factors and mitigation methods can all be sorted out before adopting the framework. The Framework defines four implementation tiers: partial, risk-informed, repeatable, and adaptive. These tiers are meant for self-analysis by the organization and allow tailored implementation of the framework to their risk tolerance and resources.Finally, the Framework recommends creating a current state and target state profile based on the analysis of the organization’s alignment with the Framework core. These profiles will guide the organization’s efforts to improve its cyber security posture.

A final report is generated and informed to the executive level. This report includes the Risk assessment results, impact levels and mitigation recommendations.

Tier 1: Partial

Limited awareness on Cyber security. Risk management processes are not systematic or non existent. Have to work on risk management thoroughly.

Tier 2: Risk Informed

Some experience and awareness in several sectors of cyber security. Some practices for risk management is currently running within the organization

Tier 3: Repeatable

Risk management is part of the organization. (Integrated). External partners are also aware and support the risk management procedure.

Tier 4 : Adaptive

Risk management is already a major part of the company which is based on the lessons they have learned. Active inclusion of employees and partners for risk awareness is also present.

A profile for the organization can be generated by using these tiers documented in NIST framework. Adopting process can now be started after the profile is made relative to the framework. The requirements as an organization, risk appetite, resources required, core elements (Identify, protect, detect, respond, recover) which needs to be improved will all be clear and the adopting process will be easier. Then the Adaptive process can be started with initiations such as employee awareness programs and workshops.

Conclusion

The Cybersecurity Framework was created with the realization that specific controls and processes have already been covered and duplicated in existing frameworks, and that organizations needed high-level guidance for improving their cyber security defenses. This makes the Framework well suited for any organization worried about ever evolving cyber threats. Security specialists like can help organizations better determine their current and target security profiles by leveraging our expertise in cyber-security assessment. It is more compatible for large organizations. Initial expense is high as it needs more resources to gather information and time to create complete company profile related to the framework. However, the adopting process can be very well carried out since the documentation is near to perfection and has a complete guide of what to do and how to do it. The framework is globally accepted and highly respected. NIST is one of the best frameworks to use if the organization is large and seek internationally accepted framework to adapt to.