Initial commit: HPR Knowledge Base MCP Server
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
241
hpr_transcripts/hpr2850.txt
Normal file
241
hpr_transcripts/hpr2850.txt
Normal file
@@ -0,0 +1,241 @@
|
||||
Episode: 2850
|
||||
Title: HPR2850: NIST Cybersecurity Framework
|
||||
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2850/hpr2850.mp3
|
||||
Transcribed: 2025-10-24 12:08:30
|
||||
|
||||
---
|
||||
|
||||
This is HPR Episode 2850 entitled, NIST I'm a Security Framework and in part of the series,
|
||||
Privacy and Security, it is hosted by AYUKA and in about 28 minutes long and Karimaklin flag.
|
||||
The summary is, what NIST SUGES at SANA Framework to improve security at the enterprise level.
|
||||
This episode of HPR is brought to you by AnanasThost.com.
|
||||
Get 15% discount on all shared hosting with the offer code HPR15. That's HPR15.
|
||||
Better web hosting that's honest and fair at AnanasThost.com.
|
||||
Hello, this is AYUKA, welcoming you to Hacker Public Radio and another exciting episode in our security and
|
||||
privacy series. We recently did a show that talked about the CERT recommendations for home networks,
|
||||
so that's aimed at the average home user. What I want to do today is go on the other side and take a
|
||||
look at enterprise level issues involving insecurity. What I want to do is take a look at something
|
||||
from the National Institute of Standards and Technology here in the United States,
|
||||
which they call their Cybersecurity Framework. Now, National Institute of Standards and Technology
|
||||
does have a number of responsibilities, but one of them certainly is information, technology,
|
||||
and security, and so when they issued this Cybersecurity Framework, I thought, you know,
|
||||
not a bad thing to take a look at, and I think we do have some people who are in an enterprise level
|
||||
environment that would perhaps be interested in seeing what this says. Now, their cybersecurity
|
||||
framework sets standards for best practices that private companies are urged to adopt,
|
||||
but federal government agencies are also directed to follow these guidelines.
|
||||
Now, that is not to say that they are doing so in all cases. Its actual compliance is somewhat
|
||||
spotty, and that certainly in the United States at least is something that's an ongoing problem is
|
||||
you can lay down rules as to what people are supposed to do, whether they'll actually do them
|
||||
is another thing entirely. Now, one of the things we're going to see as we look at this,
|
||||
and this explains part of the problem, I think, is that there's always a conflict between security
|
||||
and ease of use that we talk about with people at the individual level. So, we talk about things
|
||||
like doing firmware updates and using strong passwords and everything. That's a little more work
|
||||
for people to do. When you get to the enterprise level, now you add in cost and other resources
|
||||
as an issue. Achieving security at the enterprise level is not free. It is going to require you
|
||||
to spend money. It's going to require you to devote person hours, staff resources,
|
||||
and change your methods in some way. So, all of these things are reasons why the compliance
|
||||
level is not what it should be. Now, is that a bad thing? You know, that's a question that
|
||||
management has to address. Since resources are not infinite, you do need to choose priorities,
|
||||
and I would be the first to admit, in my private life, I don't necessarily do every single thing
|
||||
that is recommended as a security requirement, because in some cases, it's like, I don't think
|
||||
it's a big deal for me, and I'll make my own decisions. So, as we go through this list of
|
||||
recommendations, it's quite possible that you're not going to find many, if any, organizations
|
||||
that do every single thing in this list. But it's a useful look at this one group, the NIST,
|
||||
what their take is on best practices. And I think it's important because we are becoming more and
|
||||
more reliant on large organizations to handle critical infrastructure, and that infrastructure is
|
||||
controlled by computers, and security of those devices becomes important. I was recently reading
|
||||
an interesting article about how Russia is targeting utilities, and they basically started by going
|
||||
after Ukraine, but they're starting to also target utilities here in the United States, and
|
||||
if tensions increase, what can they do? Well, probably nothing good. Now, if you want to take a look
|
||||
at the document yourself, which you're encouraged to do, the link is going to be in the show notes
|
||||
for this. Now, the key term to understanding the approach that NIST uses is something called
|
||||
risk management. That does not always mean adopting strict measures. You know, conceptually,
|
||||
the responses to risk are one mitigation, two insurance, or three, except the risk.
|
||||
Mitigation is what we normally think of as a response to risk, but ensuring against the outcome,
|
||||
or simply accepting that something may happen, can be valid responses as well. It depends on the
|
||||
situation. Deciding which way to approach it usually starts with a calculation involving both
|
||||
the probability of an occurrence and the cost if it happens. If a risk has a low probability of
|
||||
occurring and a low cost if it does occur, it is entirely rational to just accept the risk.
|
||||
Now, the organizations that are the target of this particular document are critical infrastructure,
|
||||
which can be both public and private in the United States. Private organizations are encouraged to
|
||||
follow these recommendations, but a presidential order in 2017 directed all federal agencies to follow
|
||||
them. Now, this framework has three major components. The framework core, which defines a
|
||||
common set of practices and outcomes for security, framework implementation tiers, which focuses on
|
||||
risk management practices, and three, a framework profile, which lets organizations assess current
|
||||
state, compare it to desired future state, and identify opportunities for improvement.
|
||||
So, the first of these is the framework core, and the framework provides a common language for
|
||||
understanding, managing, and expressing cybersecurity risk to internal and external stakeholders.
|
||||
It can be used to help identify and prioritize actions for reducing cybersecurity risk,
|
||||
and it is a tool for aligning policy, business, and technological approaches to managing that risk.
|
||||
It can be used to manage cybersecurity risk across an entire organization,
|
||||
or it can be focused on the delivery of critical services within an organization.
|
||||
Different types of entities, including sector coordinating structures, associations,
|
||||
and organizations, can use the framework for different purposes, including the creation of
|
||||
common profiles. So, that paragraph is really a quote itself from the framework document,
|
||||
and lays out what they're looking at here. Now, the framework core has five functions. The core
|
||||
functions, number one, identify, and there are two parts of this, identification of the risks,
|
||||
and identification of the resources available to deal with the risks.
|
||||
Two, protect. That means to put safeguards in place to limit or contain the impact of a cybersecurity
|
||||
event. Three, detect. These are activities that involve security monitoring,
|
||||
detecting anomalies, and so on.
|
||||
Respond. That means to take appropriate action to contain the impact of a potential cyber security
|
||||
incident, and five, recover. This is the resilience part. You need to be able to restore normal
|
||||
operations and capabilities as quickly as possible. Now, framework implementation tiers.
|
||||
This is about the degree of sophistication in cybersecurity risk management practices.
|
||||
The document states that these tiers do not represent maturity levels, but I have to admit,
|
||||
I am not sure where the distinction lies, since it sure sounds to me like they are maturity levels.
|
||||
If you have a better understanding of that than I do, please record a show and explain it.
|
||||
I'm sure Ken would love to have more. So, tier one, partial.
|
||||
At this level, risk management practices are not formalized.
|
||||
Risks are managed in an ad hoc or reactive manner.
|
||||
So, clearly, this is the beginning level. Cybersecurity practices are not guided by risk
|
||||
objectives, the threat environment, or business requirements.
|
||||
I think I still tend to see a certain number of these things going on, even in the large organization
|
||||
that I work for. One of the ones that is constantly great on me is this, you must change your
|
||||
password every 60 days. Why? There's never a good answer to why. It's just, well, because that's
|
||||
what everyone does. So, that's an example of a practice that is not guided by risk objectives,
|
||||
a threat environment, or business requirements. Now, also tier one, a limited awareness of cyber
|
||||
security risk at the organizational level. And events are handled on a case-by-case basis.
|
||||
I think of this when you get some company has been cracked and people have stolen a bunch of
|
||||
personally identifiable information from all of the customers. And it's just, oh my God,
|
||||
no one could have predicted this. It is a super sophisticated attack. And when you finally learn
|
||||
what went on, it was like it was garden variety fishing. But if you don't have any awareness of
|
||||
what's going on, and you don't have that awareness at the organizational level, then you're just
|
||||
stumbling from one thing to the next. For tier one, information may not be shared within the
|
||||
organization. Information should be shared, but maybe you have people that are involved in
|
||||
turf battles. Oh my God, if I let anyone know what's going on, it'll make me look bad.
|
||||
The organization will tend to view its risks in isolation and does not share information or
|
||||
collaborate with other entities. It does not see itself as part of an ecosystem.
|
||||
So that's not good. This is really, I think, a lot of organizations are at this level right now,
|
||||
particularly a lot of private companies. Now tier two is a little bit better. This is what we
|
||||
call risk informed. So for a tier two organization, there are formal risk management policies that
|
||||
are approved by management. There's prioritization of cybersecurity activities, and it is informed
|
||||
by organizational risk objectives and the threat environment.
|
||||
Now in our past discussions of security, I frequently quoted or paraphrased Bruce Schneier
|
||||
that everything starts with, identify the threat, and what is it that you want to protect yourself
|
||||
against. There's no sense in using a cannon to shoot flies, but on the other hand, you don't
|
||||
want to bring a squirt gun to a gunfight. So understand the environment you're operating in
|
||||
and what you need to protect. Now in a risk informed tier two organization, cybersecurity
|
||||
information is shared within the organization, but it's kind of informal. There is some level of
|
||||
awareness of other organizations in the ecosystem, and some information sharing is going on,
|
||||
but not in any formal way. So that kind of sounds a little bit like, yeah, there are chief
|
||||
information security officer who went to a conference and had some drinks at the bar with a few
|
||||
other CISOs, and they chatted about what's going on. It's better than nothing, but it's not a formal
|
||||
process of any kind. Tier three, and that tier is what they call repeatable.
|
||||
Risk management is expressed as formal policies. Cybersecurity practices are regularly updated
|
||||
in response to changing business needs, a changing threat environment, and changing technology.
|
||||
Now, all of those things are continually changing. So you need to change with it. Things that
|
||||
probably seems perfectly valid five or ten years ago are not valid now. So you need to do your
|
||||
updating, and then you also want to have an organization-wide approach to manage cybersecurity risk.
|
||||
All right, look at the entire environment, and your policy should be regularly reviewed and
|
||||
consistently applied. Now, a tier three organization collaborates with other organizations in the ecosystem,
|
||||
upstream, downstream, and horizontally. Information is shared with all of these entities.
|
||||
So, instead of having a few drinks at the bar with other security professionals,
|
||||
there is a process for alerting people to security incidents, to share information,
|
||||
and it's a very formal kind of a process, and that's what you want to see.
|
||||
And then finally, tier four is adaptive.
|
||||
And so here we're talking continuous improvement. Okay, every time there's a security incident,
|
||||
you analyze what happened. You generate a lessons learned. You start to look for predictive indicators.
|
||||
You have a formal organization-wide approach to managing cybersecurity risk,
|
||||
and senior management monitors this just as they monitor financial risks and other organizational
|
||||
risks. Okay, very important. Right now, what tends to happen is that in a lot of organizations,
|
||||
the people responsible for information security are regarded in some places as an annoyance.
|
||||
You know, I'm trying to get sales, and you're interfering with that with all your security,
|
||||
or why should I spend all this money to secure our environment? That does not flow to the
|
||||
bottom line. And a good way to fix that is with massive fines and jail terms. When your chief
|
||||
executive officer is faced with the prospect of jail time, they will suddenly decide it is worthwhile
|
||||
to invest in security. All right, so that would be one way to do that. Now, in this case, the
|
||||
organization, if it's an adaptive tier four organization, is part of a larger community and
|
||||
contributes to that community to help everyone understand the risks.
|
||||
And the next thing we want to look at is the framework profile. Now, the framework profile
|
||||
aligns the functions that we looked at. Remember the five functions? Identify, protect,
|
||||
detect, respond, recover. Now, those have to be aligned with the business requirements,
|
||||
risk tolerance, and resources. So you analyze the present state in comparison to the desired
|
||||
future state and create a roadmap. And that roadmap can be developed for making improvements to
|
||||
achieve that desired future state. As we say in project management, if you fail to plan, you plan
|
||||
to fail. So, you know, you need to have a strategy for getting to where you're going and then
|
||||
you need to execute that strategy. Now, a comparison of the current profile with the target profile
|
||||
is going to reveal gaps. We call that gap analysis. And the whole purpose of gap analysis is to
|
||||
identify where action needs to take place. Now, this overall approach is based on risk management.
|
||||
So we do expect prioritization is going to happen here. You may identify five gaps, but are they
|
||||
all of equal significance? Not necessarily, okay? You want to identify the highest priority ones
|
||||
based, as we said before, on how likely they are to happen and what the cost is if they do happen.
|
||||
So it's quite possible that you're going to look at this and say, well, some of these risks
|
||||
we're just going to accept or we will ensure. Now, insurance is a tricky thing. I noticed there's
|
||||
a big thing in the news right now about a lawsuit because a company had cyber insurance.
|
||||
And they were victimized by the not-petsha attack. And that not-petsha attack
|
||||
looks like it may have come from Russia. And the insurance company said, oh, acts of war,
|
||||
that's excluded. We don't have to pay you anything. So insurance is a little bit tricky right now.
|
||||
I assume this is going to get sorted out at some point, but I'm not sure I want to rely 100%
|
||||
on insurance to protect me. So how do we use this framework? Okay, there's a number of things
|
||||
that we can recommend here. Number one, do a basic review of your cyber security practices.
|
||||
So compare your practices with those in the framework core and you're going to identify areas for
|
||||
improvement. Establish or improve your cyber security program. And the number of elements of that
|
||||
prioritize and scope. Okay, assess your business objectives. What are your organizational priorities?
|
||||
Figure out what it is you need to do. Then orient, identify related systems and assets,
|
||||
regulatory requirements, and the overall risk approach.
|
||||
Create a current profile. Where are we right now? What's our starting point?
|
||||
Conduct or risk assessment. Analyze both the probability and cost of possible cyber security events.
|
||||
And you really want to do both of those, both the probability and the cost. You multiply those two
|
||||
things together and you get what in mathematics is called expected value. You don't want to spend
|
||||
a million dollars to protect yourself against something with an expected cost of a thousand dollars.
|
||||
That's stupid. Create your target profile. Where do you want to be in the future based on
|
||||
your priorities and your risk assessment? Where do we want to be?
|
||||
Then determine, analyze, and prioritize the gaps. Create that plan. Where are we now? Where do we
|
||||
want to be? And then implement it. And that's important. I came out of a planning meeting the
|
||||
other day with upper management and we were on a project. They had kind of laid down, you know,
|
||||
here's what we want you to do. And we came up with a plan that said, well, if you can help us do
|
||||
ABC and D, we think we can get there. And they said, fine, we will help you get ABC and D. So
|
||||
walking out, I said to one of my colleagues, now we just got to execute the plan. You know,
|
||||
very important part there. Then repeat these steps. This should be a process of continuous
|
||||
improvement. And that is so important. And you know, if you're working in an environment where
|
||||
you're doing agile programming, you're a large part of the way they're already. But you want to
|
||||
continually assess, you know, every time you do something, where are we? Okay. So you started with
|
||||
a current profile. Then you go through a round of improvements. That current profile no longer
|
||||
represents where you are. Well, where are we now? Have we gotten to where our target was?
|
||||
And if we did, is that still where the target needs to be? Because you're in an environment where
|
||||
threats are changing continuously, you need to be thinking continuous improvement.
|
||||
Now, one of the things that's important is the communication. So you want to be able to
|
||||
communicate with the stakeholders, particularly management. So a current profile is one useful thing
|
||||
to communicate to management, to say, you know, here's where we are. And then bring in your target
|
||||
profile. So if you can get management buy in, and then that becomes the basis for requirements
|
||||
documents for dealing with your business partners, like your suppliers, you know, for large
|
||||
organizations, supply chain risk management is now a critical organizational function.
|
||||
Target profiles can also help align activities within an organization.
|
||||
That's also going to help your buying decisions. All right. Your purchasing decisions should reflect
|
||||
where it is you want to be. What's your target profile is saying? So you want to buy things that
|
||||
are going to help advance you towards that. And if you currently are buying things that don't
|
||||
advance you, then, you know, take a look at that. Maybe that's not what you should be buying anymore.
|
||||
You should identify opportunities for new or revised information references.
|
||||
For example, your organization has identified a priority for action, but it finds few or inadequate
|
||||
informational references. Well, you know, that may mean this is something that has not been well
|
||||
developed yet. Well, you could just say, gee, that's a damn shame, but what's even better is
|
||||
collaborate with other organizations in your ecosystem and start developing those things.
|
||||
You need a methodology to protect privacy and civil liberties. Now, this is an area where,
|
||||
for instance, the European Union, I think, has been doing a much better job than the United States
|
||||
government. You know, your cybersecurity may involve collecting information from individuals.
|
||||
And then, you know, in the European Union, you got the GDPR, just one example, and I don't
|
||||
think that's the end of the process by a long shot. So what you need to do is start developing
|
||||
formal policies to protect privacy and guard the information from your customers.
|
||||
And take a look at what your legal requirements are in that respect as well. And, you know,
|
||||
I think a lot of American companies that are suddenly finding themselves subject to this kind
|
||||
of regulation, it's kind of a shock because, you know, they succeeded in getting the American
|
||||
government to be hands off. Well, you know, what I'm reading right now is the American Congress
|
||||
is starting to wake up as well and say, hey, you know, the days of letting you guys run wild are
|
||||
over, we need to rein this in now. So that was basically the framework that NIST put together
|
||||
for cybersecurity at the organizational level. And so the idea is not so much to lay down specific
|
||||
regulations, but to create a framework for self improvement and self assessment. It's more
|
||||
of a process than anything. So for every organization, they're going to have to figure out what
|
||||
works in their environment with their particular risk profile with their particular goals.
|
||||
So you use the framework as a way of moving towards where you need to be.
|
||||
And that's not a bad thing, I don't think. So what I'm going to do is this went on a little bit
|
||||
longer than most of mine. So I'm going to sign off now and remind you as always to support free
|
||||
software. Bye-bye.
|
||||
You've been listening to HECCA Public Radio at HECCA Public Radio.org. We are a community podcast
|
||||
network that releases shows every weekday Monday through Friday. Today's show, like all our shows,
|
||||
was contributed by an HBR listener like yourself. If you ever thought of recording a podcast and
|
||||
click on our contributing to find out how easy it really is. HECCA Public Radio was found
|
||||
by the digital dog pound and the infonomican computer club and is part of the binary revolution
|
||||
at binwreff.com. If you have comments on today's show, please email the host directly, leave a
|
||||
comment on the website or record a follow-up episode yourself. Unless otherwise status, today's show
|
||||
is released on the create of comments, attribution, share a like, 3.0 license.
|
||||
Reference in New Issue
Block a user