Using the NIST Cybersecurity Framework to boost your security
The National Institute of Standards and Technology (NIST) — part of the U.S. Department of Commerce — maintains a frequently updated Cybersecurity Framework that any organization can use as a set of guidelines and recommended practices for improving overall cybersecurity. As NIST describes it:
“The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”
Following the framework’s guidance will definitely improve your cybersecurity profile. But that second sentence about communication is also very important. It’s critical for all stakeholders on various teams to share a common security vocabulary if they’re going to coordinate their efforts effectively.
It's a big document, and for small IT teams with limited resources it can seem daunting to approach its wealth of information and prioritize the practical steps you can take now to have the greatest positive effect on cybersecurity. But it’s not as complex as it appears.
The five core functions
The NIST framework separates out five core functions that need to be addressed for optimal cyber security:
- Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect – Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity incident.
- Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Drilling down into the many specific recommendations for fulfilling these core functions, and identifying which ones are most important for you, is a big job. But here at least we can take a quick pass through each of them and identify what might count as low-hanging fruit in each category.
It's important to conduct a thorough security audit of your entire infrastructure. Once you understand the specific risks to different groups of individuals, devices, data structures, apps, and other critical services, you can use that understanding to guide your efforts to improve cybersecurity.
Free online tools such as Barracuda Email Threat Scan, Barracuda Vulnerability Manager, and Barracuda Cloud Assessment Scan provide a wealth of baseline information about your exposure to cyber risk in the key areas email security, web application security, and cloud services configuration.
Security awareness simulation and training programs such as Barracuda Security Awareness Training can deliver even more granular visibility into risk profiles for individual users.
Barracuda Data Inspector scans your Microsoft 365 data to identify many types of sensitive and malicious data that may be stored in unsecure locations or represents a potential threat of compromise.
The information you gather using these tools has direct practical application in how you prioritize your cybersecurity investments going forward.
This core function covers all the things you do to reduce the chance of an incident and to limit or contain the impacts of a cybersecurity incident. This includes:
- Identity management and access controls. Enforce up-to-date password policies, and protect your critical assets and applications against unauthorized access using a zero trust network access solution such as Barracuda CloudGen Access.
- Enabling your users to more consistently identify and report malicious emails through the use of an advanced security awareness training solution like Barracuda Security Awareness Training.
- Securing and protecting data against accidental or malicious loss by implementing and advanced, cloud-first backup solution such as Barracuda Backup.
- Implementing effective network segmentation to prevent incidents from spreading beyond the initial area of compromise.
In order to detect cybersecurity incidents in progress, you need to be able to monitor inbound, outbound, and internal traffic of all kinds, and to identify malicious email, malware, app compromise attempts, and unauthorized movement of data.
Strong email security such as Barracuda Email Protection helps you detect both known and unknown threats. It monitors all email traffic and uses AI to detect malicious anomalies.
Detecting malicious network traffic requires a full-featured network firewall such as Barracuda CloudGen Firewall. And detecting malicious application activity, such as that of evasive bots or the latest generation of ransomware attacks, demands an advanced, easy-to-use web application firewall solution like Barracuda WAF-as-a-Service.
It’s critical for your team to be ready to respond rapidly and effectively to a cybersecurity incident. This requires significant advance planning and communication among different stakeholders.
To increase the speed and accuracy of your team’s response, use an incident-response automation capability such as Barracuda Incident Response that dramatically simplifies the job of identifying the scope of an email-based attack, deleting the attack from affected systems, and updating security settings based on the specific threat data collected.
Minimizing the overall impacts of a cybersecurity incident, and restoring any lost capacity to deliver services or conduct operations, is key to keeping the ultimate financial cost to a minimum.
If you have an advanced backup solution in place, such as Barracuda Backup, you should be able to restore any compromised or damaged data — from individual files to entire servers — quickly and completely, and to restore any lost operational ability. In the event of a ransomware incident, it can also make it easy for you to avoid paying any ransom.
How you control your users’ password selections can have a large impact on whether stolen or otherwise compromised credentials can be used to penetrate your network.
NIST password guidelines offer an example of why it’s important to revisit the Cybersecurity Framework periodically. The guidelines used to recommend fairly frequent required password changes for all users. But it was found that this had the perverse effect of reducing security. Users would very often establish a pattern for successive passwords — raising or lowering a number, for instance, or transposing two characters, or replacing letters with special characters.
It turned out — as a 2016 US Federal Trade Commission article reports — that with just three or four previous passwords, it was often simple to guess a given user’s current password. So now the practice of requiring password updates (unless there’s evidence of a compromise) is explicitly not recommended.
Other NIST recommendations for password policies include:
- Check passwords against breached password lists
- Block passwords contained in password dictionaries
- Prevent the use of repetitive or incremental passwords
- Disallow context-specific words as passwords
- Increase the length of passwords
Some of these recommendations can be implemented via Active Directory settings, but others require third-party password-management solutions.
Embrace the journey
Perhaps the most important thing to remember while studying the NIST framework and seeking to implement its recommendations is that cybersecurity is not a destination but a journey.
That is, you’re not going to reach an endpoint where your security is perfect. Instead, staying secure is an ongoing, iterative process that you’re constantly improving and adapting to evolving conditions. New threat data drives new strategies and new technical capabilities, resulting in yet more data to drive the next generation of improvements.
In other words, don’t try to swallow the NIST Cybersecurity Framework whole. Instead, use it as a guide to help you define, plan, and execute discrete cybersecurity strategies that are most urgent for your organization.
For more information and quotations, please email us at email@example.com