Cybersecurity Risk Management

Name: Cybersecurity Risk Management | Mastering the Fundamentals Using the NIST Cybersecurity Framework
Brand: Wiley
Price: 89.99 EUR
Availability: OnlineOnly

Mastering the Fundamentals Using the NIST Cybersecurity Framework

Cynthia Brumfield Brian Haugli(Autor*in)

Wiley (Verlag)

1. Auflage

Erschienen am 23. November 2021

176 Seiten

E-Book

ePUB mit Adobe-DRM

Systemvoraussetzungen

978-1-119-81630-0 (ISBN)

89,99 €inkl. 7% MwSt.

Systemvoraussetzungen

für ePUB mit Adobe-DRM

E-Book Einzellizenz

Als Download verfügbar

Beschreibung

Weitere Details

Weitere Ausgaben

Personen

Inhalt

Intro
Cybersecurity Risk Management
Contents
Academic Foreword
Acknowledgments
Preface - Overview of the NIST Framework
Background on the Framework
Framework Based on Risk Management
The Framework Core
Framework Implementation Tiers
Framework Profile
Other Aspects of the Framework Document
Recent Developments At Nist
CHAPTER 1 Cybersecurity Risk Planning and Management
Introduction
I. What Is Cybersecurity Risk Management?
A. Risk Management Is a Process
II. Asset Management
A. Inventory Every Physical Device and System You Have and Keep the Inventory Updated
B. Inventory Every Software Platform and Application You Use and Keep the Inventory Updated
C. Prioritize Every Device, Software Platform, and Application Based on Importance
D. Establish Personnel Security Requirements Including Third-Party Stakeholders
III. Governance
A. Make Sure You Educate Management about Risks
IV. Risk Assessment and Management
A. Know Where You're Vulnerable
B. Identify the Threats You Face, Both Internally and Externally
C. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to Assets
D. Develop Plans for Dealing with the Highest Risks
Summary
Chapter Quiz
Essential Reading on Cybersecurity Risk Management
CHAPTER 2 User and Network Infrastructure Planning and Management
I. Introduction
II. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the Road
A. Identity Management, Authentication, and Access Control
1. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted
2. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems
3. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems
4. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task
5. Implement Network Security Controls on All Internal Communications, Denying Communications among Various Segments Where Necessary
A Word about Firewalls
6. Associate Activities with a Real Person or a Single Specific Entity
7. Use Single- or Multi-Factor Authentication Based on the Risk Involved in the Interaction
III. Awareness and Training
A. Make Sure That Privileged Users and Security Personnel Understand Their Roles and Responsibilities
IV. Data Security
A. Protect the Integrity of Active and Archived Databases
B. Protect the Confidentiality and Integrity of Corporate Data Once It Leaves Internal Networks
C. Assure That Information Can Only Be Accessed by Those Authorized to Do So and Protect Hardware and Storage Media
D. Keep Your Development and Testing Environments Separate from Your Production Environment
E. Implement Checking Mechanisms to Verify Hardware Integrity
V. Information Protection Processes and Procedures
A. Create a Baseline of IT and OT Systems
B. Manage System Configuration Changes in a Careful, Methodical Way
A Word about Patch Management
C. Perform Frequent Backups and Test Your Backup Systems Often
D. Create a Plan That Focuses on Ensuring That Assets and Personnel Will Be Able to Continue to Function in the Event of a Crippling Attack or Disaster
VI. Maintenance
A. Perform Maintenance and Repair of Assets and Log Activities Promptly
B. Develop Criteria for Authorizing, Monitoring, and Controlling All Maintenance and Diagnostic Activities for Third Parties
VII. Protective Technology
A. Restrict the Use of Certain Types of Media On Your Systems
B. Wherever Possible, Limit Functionality to a Single Function Per Device (Least Functionality)
C. Implement Mechanisms to Achieve Resilience on Shared Infrastructure
Summary
Chapter Quiz
Essential Reading on Network Management
CHAPTER 3 Tools and Techniques for Detecting Cyber Incidents
Introduction
What Is an Incident?
I. Detect
A. Anomalies and Events
1. Establish Baseline Data for Normal, Regular Traffic Activity and Standard Configuration for Network Devices
2. Monitor Systems with Intrusion Detection Systems and Establish a Way of Sending and Receiving Notifications of Detected Events
Establish a Means of Verifying, Assessing, and Tracking the Source of Anomalies
A Word about Antivirus Software
3. Deploy One or More Centralized Log File Monitors and Configure Logging Devices throughout the Organization to Send Data Back to the Centralized Log Monitor
4. Determine the Impact of Events Both Before and After they Occur
5. Develop a Threshold for How Many Times an Event Can Occur Before You Take Action
B. Continuous Monitoring
1. Develop Strategies for Detecting Breaches as Soon as Possible, Emphasizing Continuous Surveillance of Systems through Network Monitoring
2. Ensure That Appropriate Access to the Physical Environment Is Monitored, Most Likely through Electronic Monitoring or Alarm Systems
3. Monitor Employee Behavior in Terms of Both Physical and Electronic Access to Detect Unauthorized Access
4. Develop a System for Ensuring That Software Is Free of Malicious Code through Software Code Inspection and Vulnerability Assessments
5. Monitor Mobile Code Applications (e.g., Java Applets) for Malicious Activity by Authenticating the Codes' Origins, Verifying their Integrity, and Limiting the Actions they Can Perform
6. Evaluate a Provider's Internal and External Controls' Adequacy and Ensure they Develop and Adhere to Appropriate Policies, Procedures, and Standards
Consider the Results of Internal and External Audits
7. Monitor Employee Activity for Security Purposes and Assess When Unauthorized Access Occurs
8. Use Vulnerability Scanning Tools to Find Your Organization's Weaknesses
C. Detection Processes
1. Establish a Clear Delineation between Network and Security Detection, with the Networking Group and the Security Group Having Distinct and Different Responsibilities
2. Create a Formal Detection Oversight and Control Management Function
Define Leadership for a Security Review, Operational Roles, and a Formal Organizational Plan
Train Reviewers to Perform Their Duties Correctly and Implement the Review Process
3. Test Detection Processes Either Manually or in an Automated Fashion in Conformance with the Organization's Risk Assessment
4. Inform Relevant Personnel Who Must Use Data or Network Security Information about What Is Happening and Otherwise Facilitate Organizational Communication
5. Document the Process for Event Detection to Improve the Organization's Detection Systems
Summary
Chapter Quiz
Essential Reading for Tools and Techniques for Detecting a Cyberattack
CHAPTER 4 Developing a Continuity of Operations Plan
Introduction
A. One Size Does Not Fit All
I. Response
A. Develop an Executable Response Plan
B. Understand the Importance of Communications in Incident Response
C. Prepare for Corporate-Wide Involvement During Some Cybersecurity Attacks
II. Analysis
A. Examine Your Intrusion Detection System in Analyzing an Incident
B. Understand the Impact of the Event
C. Gather and Preserve Evidence
D. Prioritize the Treatment of the Incident Consistent with Your Response Plan
E. Establish Processes for Handling Vulnerability Disclosures
III. Mitigation
A. Take Steps to Contain the Incident
B. Decrease the Threat Level by Eliminating or Intercepting the Adversary as Soon as the Incident Occurs
C. Mitigate Vulnerabilities or Designate Them as Accepted Risk
IV. Recover
A. Recovery Plan Is Executed During or After a Cybersecurity Incident
B. Update Recovery Procedures Based on New Information as Recovery Gets Underway
C. Develop Relationships with Media to Accurately Disseminate Information and Engage in Reputational Damage Limitation
Summary
Chapter Quiz
Essential Reading for Developing a Continuity of Operations Plan
CHAPTER 5 Supply Chain Risk Management
Introduction
I. NIST Special Publication 800-161
II. Software Bill of Materials
III. NIST Revised Framework Incorporates Major Supply Chain Category
A. Identify, Establish, and Assess Cyber Supply Chain Risk Management Processes and Gain Stakeholder Agreement
B. Identify, Prioritize, and Assess Suppliers and Third-Party Partners of Suppliers
C. Develop Contracts with Suppliers and Third-Party Partners to Address Your Organization's Supply Chain Risk Management Goals
D. Routinely Assess Suppliers and Third-Party Partners Using Audits, Test Results, and Other Forms of Evaluation
E. Test to Make Sure Your Suppliers and Third-Party Providers Can Respond to and Recover from Service Disruption
Summary
Chapter Quiz
Essential Reading for Supply Chain Risk Management
CHAPTER 6 Manufacturing and Industrial Control Systems Security
Essential Reading on Manufacturing and Industrial Control Security
Appendix A: Helpful Advice for Small Organizations Seeking to Implement Some of the Book's Recommendations
Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1
Answers to Chapter Quizzes
Index
EULA

Preface - Overview of the NIST Framework

The National Institute of Standards and Technology (NIST), located in Gaithersburg, MD, is a US Department of Commerce division. It is assigned the job of promoting innovation and industrial competitiveness. It is a research organization filled with some of the world's leading scientists and has produced many Nobel Prize winners.

NIST has a wide-ranging mandate: develop federal patents, oversee over 1,300 Standard Reference Materials, run a scientific laboratory in Boulder, CO, and pursue innovation in encryption technologies, among other significant efforts. NIST is primarily a scientific and engineering organization and, as such, produces patents, technical breakthroughs, documentation, and recommendations through extensive consultation with experts in various areas. This scientific consensus approach often has impressive results that can be difficult for non-specialists to understand or apply.

The NIST Cybersecurity Framework resulted from an intensive one-year effort to synthesize cybersecurity experts' best thinking into a single "framework of frameworks" that can assure superior risk management. It's well-understood in the cybersecurity field that risks are constant and that the best approach to organizational cybersecurity is to manage those risks because no one can eliminate them.

The NIST Framework attempts to incorporate all the best various risk management and remediation practices into one coherent whole, an ambitious goal in the complex cybersecurity field. It is a multi-layered, spoke-and-wheel collection of ideas grouped along logical lines.

The Framework is conceptual and not technical, making it a challenge for many organizations to apply in the real world. It doesn't help that NIST specifically avoided any technical recommendations when developing the Framework. NIST instead chose to map its recommendations to a host of standards, or informative references, designed in-house and at other standards-setting bodies.

Despite its growing use among leading corporations, government offices, and non-profit organizations in the United States and worldwide, many non-cybersecurity professionals, and even some cybersecurity specialists, struggle with the practical application of the NIST Framework.

The following summary provides a broad overview of what the Framework is and how it's structured. Keep in mind that the rest of the book focuses on the much-needed practical guidance on applying the NIST Framework, which we hope even non-cybersecurity professionals will grasp and find useful.

BACKGROUND ON THE FRAMEWORK

In the face of growing concerns over the prospect of a devastating cyberattack on US critical infrastructure, President Barack Obama issued on February 12, 2013, Executive Order (EO) 13636 "Improving Critical Infrastructure Cybersecurity."1 The EO aimed to create a "partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards." To achieve that objective, the EO mandated that NIST develop within one year "a voluntary risk-based Cybersecurity Framework, a set of industry standards and best practices to help organizations manage cybersecurity risks."

To hammer out the Framework, NIST hosted five workshops at multiple universities involving thousands of domestic and international private- and government-sector participants. Finally, on February 12, 2014, NIST issued the Framework for Improving Critical Infrastructure Cybersecurity.2 The Department of Homeland Security (DHS) currently considers 16 sectors to be critical infrastructure sectors, encompassing information technology, financial services, energy, communications, manufacturing, and many other central services.3 However, NIST hopes that the Framework will be helpful to all organizations and anticipates that its application will extend beyond critical infrastructure.

Underscoring the "living" nature of the Framework, on April 16, 2018, NIST issued an update, Version 1.1.4 The updated Framework features several additional subcategories, including an expansive new set of subcategories dealing with Supply Chain Risk, a timely addition as the protection of digital supply chains has taken center stage due to some recent damaging and high-profile supply chain attacks.

In developing the Framework, NIST wanted to ensure maximum flexibility of application. The final document is industry- and technology-neutral. It encompasses hundreds of standards. It is also international in scope.

NIST stresses that the Framework is not intended to replace any organization's existing cybersecurity program but is a tool to strengthen existing practices. Suppose an organization does not have a cybersecurity risk management program or set of cybersecurity practices in place? In that case, the Framework should serve as a good starting point for developing that program or those practices.

FRAMEWORK BASED ON RISK MANAGEMENT

NIST premised the entire Framework on the concept of risk management, which is "the ongoing process of identifying, assessing, and responding to risk," an approach that provides a dynamic implementation of the Framework's recommendations. Under a risk management approach, "organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services."5

The Framework consists of three parts: The Framework Core, the Framework Implementation, and the Framework Profile Tiers. The purpose of these three parts is to provide a "common language" that all organizations can use to understand, manage, and communicate their cybersecurity initiatives, both internally and externally, and can scale down or up to various parts of an organization as needed.

THE FRAMEWORK CORE

The Framework Core is a set of activities aimed at organizing cybersecurity initiatives to achieve specific outcomes. The Core has five functions: Identify, Protect, Detect, Respond, and Recover (Figure 0.1).

Figure 0.1 NIST CORE FRAMEWORK.

Within each of these functions are categories of activities. Within each category of activities are subcategories, and for each subcategory, there are informative references, usually standards, for helping to support the activities (Figure 0.2).

Figure 0.2 NIST CATEGORIES, SUBCATEGORIES, AND INFORMATIVE REFERENCES.

For example, one category under the function Identify is Asset Management (Figure 0.3). A subcategory of Asset Management is "Physical devices and systems within the organization are inventoried." For that subcategory, the Framework offers informative references that guide physical devices' inventory, mostly standards established by various technical standards-setting bodies. The complete listing of the Functions, Categories, Subcategories, and Informative References are in Appendix A of the final Framework Document on the NIST website.6

Figure 0.3 NIST FUNCTIONS AND CATEGORIES.

Although some organizations find the Framework Core, Categories, and Subcategories to be daunting, NIST intends them to be resources from which certain elements can be selected or examined, or used depending on the organization's unique configuration. NIST does not intend it to serve as a checklist of required activities. Nor are the Functions "intended to form a serial path, or lead to a static desired end state."

FRAMEWORK IMPLEMENTATION TIERS

The Framework Implementation Tiers consist of four levels of "how an organization views cybersecurity risk and the processes in place to manage that risk." Although the levels are progressive in terms of rigor and sophistication from Tier 1 (partial) to Tier 4 (Adaptive), they are not "maturity" levels in terms of cybersecurity approaches. NIST based successful implementation on the outcomes described in the organization's Target Profiles (see the next section) rather than a progression from Tier 1 to Tier 4.

The final Framework document describes the implementation tiers in more detail, but the following is a summary of the four tiers, modified from NIST's description (Figure 0.4):

Tier 1: Partial - Risk is managed in an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level with no organization-wide approach to cybersecurity. The organization may not have the processes in place to participate in coordination or collaboration with other entities.
Tier 2: Risk-Informed - Management approves risk management practices, but they may not be an organization-wide policy. There is awareness of cybersecurity risk at the organization level. Still, an organization-wide approach has not been established, and the organization understands the broader ecosystem but has not formalized its participation in it.
Tier 3: Repeatable - The organization's risk management practices are approved and formally adopted as policy. There is an organization-wide approach to risk management. The organization collaborates with and receives information from partners in the wider ecosystem.
Tier 4: Adaptive - The organization...

Systemvoraussetzungen

Als PDF speichern Als Link merken