Critical Infrastructure Cybersecurity Framework - Week 7

Executive Order 13636, Improving Critical Infrastructure Cybersecurity, signed on February 12, 2013, and its follow on NIST document, Framework for Improving Critical Infrastructure Cybersecurity, published on February 12, 2014, discuss coming up with a plan to ensure the cybersecurity of the nation its businesses. It is voluntary, but sets out to put into place a set of guidelines across a common language to ensure the safety and cybersecurity of the economy, the public, and businesses alike.

By creating a living document, they intend to make it usable for both large and small organizations. The idea is to create a framework consisting of three parts for cybersecurity. The three parts of the framework are the core, profiles, and tiers. The core is cybersecurity activities, outcomes, and references common across critical infrastructure sectors. They provide detailed guidelines for organizations to create their profiles. The profiles help an organization align with its business requirements, risk tolerances and resources. Tiers are to help an organization understand their approach to managing cybersecurity risk.

The Executive Order requires a methodology be included to protect individual privacy and civil liberties. The framework is designed to work for any business small or large, and is not a one size fits all. Because many companies operate overseas, the goal is to get the international community involved in the framework as well.

Information Security Awareness Training - Week 6

What do we really know about security awareness training? How many of us are required to do some sort of training annually for our jobs? How much do we really pay attention to that annual training? Depending on our role within the organization, there could be many different forms of information security awareness training.

The training an executive within the company does is most likely different than the training a new hire would do. That training would most likely be different than the training an IT manager would do. How do we know what training should be taken by each employee within an organization? There are several organizations and websites that can help.

There are companies that specialize in creating information security awareness training for other organizations. Some of these companies will develop entire programs for an organization. Others will tailor the training for a specific organization and hold a webinar, or go conduct in-house training for that organization. Others already have different modules of training developed that an organization can pick and choose which modules they would need for security awareness training for their employees.

Another option is developing the training in-house. There are several websites that offer checklists and suggestions for developing a training program. One of these is the National Institute of Standards and Technology. Their 800 series Special Publications can be a great help to an organization for many different things. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, basically walks you through creating a training program for your organization.

Regardless of which method, company, training program you use, make sure you have one that is effective. Make sure your employees are up to speed on it. With the heavy reliance on technology in every business these days, you want to make sure your information is secure.

Information Security Policies - Week 5

Organizations need to develop information security policies for their operations. There are three types of information security policies, enterprise information security policy (EISP). issue-specific security policy (ISSP), and system-specific security policy (SysSP). Each of these policies serves a different purpose within an organization.

EISP deals with the organization's overall information security policies. It defines InfoSec for the organization and details the responsibilities of each department, as well as users, for InfoSec within the organization. It defines InfoSec as it relates to the organization and identifies critical components of InfoSec within the organization. This policy will also define staffing necessary to support InfoSec within the organization and will lay out how the InfoSec program will function throughout the organization and give a document that all other InfoSec policies will reference.

ISSP deals with how technology-based resources will be used and afforded InfoSec. It will define how the resources will be used, who may use them, and what restrictions there are with use of the resources. The policy defines physical security, who is authorized to use the resource, what is considered fair and responsible use of the resource, and what is considered misuse. It will stipulate what the organization can do to for systems management such as monitoring, physical security, virus protection, encryption, etc. There will be a timeline for scheduled reviews of the policy and procedures for modification.

With SysSP, the policy will address who exactly can use each system in the performance of their duties, what parts of each system a user can access, when the system is available for access, from where the systems may be accessed, as well as to what extent users can access the system. Each system may be set up with specific rights to information contained on that particular system that defines what type of access each user has, whether that is read only, write access, execute access, or delete access

Contingency Planning - Week 4

What do you do when the unthinkable happens? A tornado has just wiped out your business. Whether you are a small business, or a large corporation, contingency planning is a must. In NIST SP 800-34 the U.S. Department of Commerce provides guidelines for creating a contingency plan for information systems. If you are a large business, most, if not all, of the guidelines would apply. If you are a small business, there are certain guidelines you don't need to worry about, such as alternate sites.

When creating a contingency plan, a business should do a business impact analysis. This analysis will provide valuable information for creating your contingency plan. It will tell you what your Recovery Time Objective is, in what amount of time are you shooting for to be back up and running. What is your Maximum Tolerable Downtime? It will also tell you what your Recovery Point Objective is, the most critical functions you want back up after a disaster.

When creating a contingency plan, make sure you have looked at all the procedures and written them down. Assign specific duties and responsibilities in the event of a disaster. Identify who makes the call that your contingency plan goes into effect.

One of the key things to remember in contingency planning is to practice. Set up tests and exercises to ensure all personnel know their roles and responsibilities, and also to ensure equipment and systems are adequate for disaster recovery. Make sure to also relook at your contingency plan from time to time to ensure it is still sufficient to get your business back up and running after a disaster.

Data Breach Incidents - Week 3

                Looking through the past few years of Verizon’s Data Breach Investigations Reports, it makes me wonder how the same issues keep happening year after year. Yes, hackers and attackers get more sophisticated and creative as technology safeguards advance, but some of the same things keep happening each year. The 2016 report says 40% of the incidents could be prevented with what they consider “quick fixes.” If this is the case, why aren’t these quick fixes being utilized?

                Phishing still seems to be the biggest culprit for data breaches.  As long as phishing has been around, do people still not pay attention when they open emails and attachments? How much effort does it take to look at an email and make sure it’s from someone you would expect an email? If it’s not, check it first. Don’t open any attachments.

                Another one is using default or weak passwords, or doing something that allows someone to steal your password. Everyone knows what the default passwords are. When you first log into a system, change the password. Don’t change it to a weak password. Make sure it is strong and not easily figured out. Then, when you create a strong password, don’t write it down. That’s how they get stolen.

                One more on data breaches…card skimmers. They’ve been around for a bit and most times people pay closer attention when they use a card reader. If you’re in a hurry, still pay attention to your surroundings. Especially for those “quick” stops to fill up a gas tank. There are now tamper-resistant and tamper-evident card readers. Take a closer look and see if there is any evidence to lead you to believe it has been tampered with. Take a look at other gas pumps at the same place. Do they all look the same? Odds are if someone is using a skimmer, they’re not going to put one on every pump. If something looks out of place, don’t use it and alert the person inside behind the register. If in doubt, go inside and pay.