Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The National Institute of Standards and Technology cybersecurity framework has the breadth and rigor to provide a meaningful framework for companies to succeed in their cybersecurity efforts in 2017, the authors write.
By Paul A. Ferrillo and Chris Veltsos
Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP in New York and is part of Weil's Cybersecurity, Data Privacy and Information management group, where he focuses primarily on cybersecurity corporate governance issues and regulatory matters.
Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes, and cyber risk strategist at Dr. InfoSec blog and a contributor to the SecurityIntelligence.com blog sponsored by IBM.
Paul Ferrillo and Chris Veltsos have published the book “ Take Back Control of Your Cybersecurity Now.” This article also features comments by Ron Ross, a Fellow at the National Institute of Standards and Technology (NIST), and Matthew Barrett, a senior computer scientist and project manager at NIST. We are grateful for their input and their comments.
There are tons of “cybersecurity predictions for 2017” articles, tons of “what the new administration will do on cybersecurity” articles, and even more “what the old administration wishes the new administration would do on cybersecurity” articles. These articles contain lots and lots of best practices. If we were printing these articles out, we would be killing a lot of trees, and even more brain cells. Do this, do that, these articles say. Kind of like arguing with my son over how to play his Nintendo Wii University video games. He knows best. I do not.
Well, now, hmm… Well my son may know more about his video games (and how to beat his old man handily), but his dad is a student of human nature. His dad has seen lots of bad things happen to companies of all shapes and sizes. Due to the economy, due to fraud, due to a lot of things I wouldn't wish on anybody. That is why I wrote Navigating the Cybersecurity Storm last year. See Bloomberg BNA, “ ‘You Are Going to Need a Bigger Boat’ in 2016 To Navigate the Cybersecurity Storm.” And that is why Chris Veltsos and I wrote “Take Back Control of Your Cybersecurity Now,” this year. To help and educate Corporate America understand the importance, necessity and application of good cybersecurity principles and governance. And to bring down something very complicated into bite-sized pieces that mere mortal directors and officers could understand, appreciate, and put into action.
We are not faulting any of these year-end articles, of course. They are someone's opinion. We respect that. Chris and I just have our own opinion, gained through 20 years of corporate governance, litigation and computer science experience.
Our opinion: cybersecurity is hard stuff. It is not one size fits all. It is not intuitive. And sometimes even the best of us don't get it. And that is why all the strategies and committees and best practices we all have known for years have not gotten us very far in the cybersecurity world. Our opinion: keep it simple silly. Keep it strategic. Why use a cleaver, when a butter knife will do?
Lost in the year end shuffle of articles is the seminal publication, the National Institute of Standards and Technology (NIST) Framework (the Framework). The Framework is something Chris and I have written a lot about. It is something which a lot of companies have successfully adopted already. It is something which works. Why does the Framework work? It's elegant simplicity. Identify, Protect, Detect, Respond and Recover—five elements only (not 20) and in plain English, not just for computer scientists and network engineers to adopt and use, but corporate directors and officers as well. See e.g., “ Why you should adopt the NIST Cybersecurity Framework.”
This simplicity was both anticipated and necessary:
According to Matt Barrett, a senior computer scientist and project manager at NIST, “The Framework was designed to bridge the communication gap between cybersecurity technologists and people in other fields; for example, other specialists and senior executives. For that reason, it was important to organize around a universally understood vocabulary. Identify, Protect, Detect, Respond, and Recover are simple and meaningful words for all parties. They allow proper consideration of cybersecurity by people who are not cybersecurity specialists. They also allow people who are not cybersecurity specialists to participate in cybersecurity decisions.” (*Personal correspondence with authors, reprinted with permission.)
In connection with the publication of “Take Back Control of Your Cybersecurity Now,” we wanted to focus on the first three elements of the Framework: Identify, Detect and Protect. We think they are the cornerstone of this great document:
This is a greatly overlooked element of almost any cybersecurity program because we create so much data every day—2.5 quintillion bytes of information each day are created. That is the equivalent of 10 million blu-ray discs, when stacked on top of each other would be the equivalent of 4 Eiffel Towers, one stacked on top of the other. We are creating this data in our businesses, financial transactions and in provision of our health and medical care. We are using this data to improve business processes and practices, innovate, create efficiencies and to improve business performance. And for multinationals, you likely don't have this data just in one place. You have it in many countries, the cloud and in data “lakes” where it is used for big data analytics. Data is the new gasoline for the digital economy. If you don't know what information you have, and its relative importance to your business, it would be awful hard to craft a sound cybersecurity strategy.
Companies need to wrestle the identify element of the Framework to the ground many reasons:
The Protect Element of the Framework is very much related to the Identify element. A couple of more words here though on “Protect”:
Managing the complexity of today's systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. That basis provides the foundation to address the additional security concerns that provide confidence for the expectation that the system functions only as intended across the spectrum of disruptions, hazards, and threats, and to realistically bound those expectations with respect to constraints, limitations, and uncertainty. The level of trustworthiness that can be achieved in today's complex systems is a function of our ability to think about system security across every aspect of every activity, and in our ability to execute with commensurate fidelity and rigor to produce results that provide the confidence in the basis for those claims of trustworthiness. SeeNIST Special Publication 800-160.
As the summer of 2016 moved into September, the insecurity of the IoT became transparent when the website of noted blogger Brian Krebs was taken down by a massive distributed denial of service (DDoS) attack called Mirai. As later discovered, the massive attack (double all previous attacks) was engineered by attackers using insecure IoT devices to magnify the size of the DDoS attack. That attack then led to the Dyn Mirai DDoS attack, which led to NIST moving up the publication date of SP 800-160.
As noted by Ron Ross of NIST, one of the authors of SP 800-160, this acceleration was warranted and necessary. He noted: “We are pushing computers to the edge in every part of the critical infrastructure and providing wireless access through ubiquitous networks. Many of the vulnerabilities that exist in the systems and devices that support this infrastructure are buried in the complexity of the hardware, firmware and software leading to a dangerous susceptibility to damaging cyber-attacks.” (*Personal correspondence with authors, reprinted with permission.)
The security of the IoT is obviously a moving target, and has garnered much attention, especially with the soon changing Presidential Administrations.
This is perhaps the biggest element that has risen in importance since the Framework was announced in February 2014. The devil here is dwell time, i.e. the amount of time it takes an organization to find malware on its system. The average dwell time today for a non-bank is about five months. It takes an attacker approximately 3 days to set up residence on your network. So five months on your network is about five months too long.
This problem has been complicated over the past 12 months by variants of malware that might slightly change the signature on a piece of malware, or through latent (“silent but deadly”) malware that might lie dormant on your systems for months on end before it becomes activated and steals your stuff. Last year people talked about endpoint detection, i.e. the ability to see and stop malware at the individual device level. Today, people are talking about artificial intelligence and machine learning solutions that allow defenders of large computer networks to understand and know, at network speed, that something abnormal is happening on their network and it needs to be stopped. Fast.
Finally the detect element has risen to new height because many organizations and regulators have come to understand that network defense changes daily, and that new vulnerabilities can pop up at a moment's notice. So can spear phishing attacks and other forms of cyberattacks that might leave malware on your system. More and more today, companies are doing both vulnerability and compromise assessments in order to assess the status of a server, network or device. Or to see if they have had a breach. Regulators also understand the importance of these assessments as reflected in their guidance. Lastly, given the recent discussion and debates around the security of IoT, vulnerability assessments of key, internet-connected components of larger devices, machinery, factory plants and electric grids will soon (hopefully) be the norm rather than the exception.
While our focus in this article has been mainly on the Identify, Protect, and Detect elements of the Framework, organizations should not by any means ignore the Respond and Recover elements to ensure that they are ready to effectively address the inevitable breach. As anyone with emergency response experience would attest to, preparedness is to key to successfully navigate adverse circumstances.
So, there you have it. Our cybersecurity prediction for 2017. Given its breadth, importance and the great minds behind it, the NIST cybersecurity framework can provide not just a Framework to act, but a Framework to succeed in your cybersecurity defense. Used wisely, frequently and often, it is a living breathing document that lives up to the dangerous times we are seeing today. And NIST has announced that it will be working on an updated version of the framework, likely to version 1.1., during 2017, to enhance usability and provide guidance for metrics and measurements. But don't delay, get started on the road towards adoption of the NIST Framework.
For additional information see “ Take Back Control of Your Cybersecurity Now.”
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)