November 10th, 2022
Author: Baan Alsinawi, Managing Director of Cerberus Sentinel and Founder of TalaTek
The last couple of years have been filled with what seems like countless high-profile cyber attacks — SolarWinds and Colonial Pipeline immediately come to mind.
Add to that the top six breaches that occurred in the U.S. and other countries in the first six months of this year, and we can see that hacks, scams, breaches and ransomware are the norm, not the exception. Although the U.S. government is doing its part to offer executive guidance and create meaningful security frameworks to combat new and ongoing threats, the onus must fall on the private sector to adopt, manage and revisit their security best practices if we are to get ahead of constantly evolving cyber threats.
And it’s not for lack of trying on the federal government’s part. The Cybersecurity and Infrastructure Security Agency was established in 2018 “to work across public and private sectors, challenging traditional ways of doing business by engaging with government, industry, academic, and international partners.” Though it has created a partnership between the private and public sector, there is still much work to do to bring the promise of CISA, executive orders and frameworks to fruition.
Frameworks as a first step
In response to the major 2021 breaches mentioned above, the White House’s Executive Order on Improving the Nation’s Cybersecurity was issued on May 12, 2021. Section Four of the EO, Enhancing Software Supply Chain Security, required the National Institute of Standards and Technology to “issue guidance identifying practices that enhance the security of the software supply chain.” A year later, in May 2022, NIST released Special Publication 800-161 Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, as part of its response to the EO. But this prompts an important question: Is another cybersecurity framework really the answer to this problem?
The 101 on NIST’s SP 800-161 Rev. 1
NIST’s SP 800-161, Rev. 1, an update from the original 2015 release, offers a detailed blueprint for how to develop and implement a Cybersecurity Supply Chain Risk Management Program (C-SCRM). It provides templates, workflows and questionnaires, and requires agency officials to develop strategies that ensure accountability by federal officials. It also includes sample scenarios and what-to-do checklists for addressing different types of threats.
NIST SP 800-161 Rev. 1 emphasizes the need for organizations to conduct a C-SCRM as part of a more holistic risk management program, using risk tolerance, risk calculations, impact and likelihood evaluations to determine the degree of risk, and implementing a process for accepting, mitigating and/or transferring such risks.
For years, I have been heavily involved with federal agencies and the private sector, helping them manage compliance, conducting risk management, and advising on the importance of creating comprehensive risk management programs. And it is my opinion that the solution to our problem in the security risk management community isn’t that we need more presidential directives, newer technology or even more NIST special publications (as much as I love NIST and all its special publications)! The truth is we have plenty of frameworks, standards and requirements already in place and available for those who care to develop a risk management strategy. What we really need is to adopt a cultural shift in how we approach managing risk in our business community.
Executive orders can only go so far
This is not the first EO issued to respond to cyberthreats, and it won’t be the last. Going back a few years, we can find many EOs and directives aiming to address these types of threats, yet many frameworks go unused and/or underutilized. Two examples include:
- Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure on May 11, 2017.
- The Comprehensive National Cybersecurity Initiative in 2009.
What would offer more promise to securing the nation is a government-first approach, where government agencies set the example by stepping up quickly and embracing a higher level of security. Agencies today have a choice of frameworks and many other tools at their disposal, not to mention the critical step of starting with risk management. Federal agencies should embrace their own policies, frameworks and other tools to help stem the increasing threats posed in cyberspace.
NIST special publications and frameworks
NIST’s SP 800-161 is a great publication. But we have many other great NIST publications that address these same risks/concepts and offer comprehensive risk management frameworks and tools that I and my risk management colleagues already use regularly and rely upon when assisting our clients in the government and private sector.
NIST SP 800-37, first released in 2004 and now in its second revision, which laid out the now widely used Risk Management Framework, or RMF (full name: RMF for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy); 800-39, Managing Information Security Risk; 800-30, Guide for Conducting Risk Assessments; 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations; and 800-53, Assessing Security and Privacy Controls in Information Systems and Organizations. NIST 800-53 Rev. 5 (released late 2021) created a new Supply Chain Risk Management control family that addresses the exact risks that 800-161 covers, though 800-161 does cover them in more detail.
7 steps to move beyond frameworks
Regardless of the latest EO, new tools and special frameworks, taking the necessary steps to be in compliance is the real battle for any industry. A good risk management program should include the following:
Choose a risk management framework (choose any, but it’s best to use the NIST RMF, SP 800-37 mentioned above).
Identify your business risks.
Define your risk tolerance.
Have a clear strategy for addressing risks you cannot tolerate.
Don’t make “great the enemy of the good.” Implementing basic cyber hygiene, such as the following, goes a long way toward mitigating most risks:
- Monitor your network and applications.
- Create baseline acceptable behavior to easily identify abnormal behavior.
- Implement layers of defense: anti-virus, firewalls, intrusion prevention and integrity checks.
- Implement a zero trust strategy so that if one part of your system(s) is compromised, the breach won’t spread anywhere else.
- Establish more access control to achieve “least privilege” for users, devices and other pieces of compute such as servers and virtual machines.
- Make sure you have good backups that are tested and encrypted (hopefully no one stores their backup media in the same room as their system[s]).
- Don’t wait until you have an actual disruption to test your backups. That is too late. Finding out that backups are not working during a disaster recovery is, well, a disaster.
- Know what your inventory looks like. Have network diagrams and inventory lists that are up to date and accessible when needed, ideally included in your System Security Plan.
- Know your ingress/egress points (system boundary). Have a network diagram with data flows clearly denoted.
Have a team of qualified professionals who have clear policies and procedures to follow.
Rinse and repeat.
This heightened focus on supply chain risks, nation-state actors and organized cybercrime is not going away. In response, new policies, standards and guidelines are rolled out in almost real-time. But the bottom line remains the same. We know exactly what we need to do. We just need to actually do it.
First published at Federal News Network.