Episode: 2850
Title: HPR2850: NIST Cybersecurity Framework
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2850/hpr2850.mp3
Transcribed: 2025-10-24 12:08:30

---

This is HPR Episode 2850 entitled, NIST I'm a Security Framework and in part of the series,
Privacy and Security, it is hosted by AYUKA and in about 28 minutes long and Karimaklin flag.
The summary is, what NIST SUGES at SANA Framework to improve security at the enterprise level.
This episode of HPR is brought to you by AnanasThost.com.
Get 15% discount on all shared hosting with the offer code HPR15. That's HPR15.
Better web hosting that's honest and fair at AnanasThost.com.
Hello, this is AYUKA, welcoming you to Hacker Public Radio and another exciting episode in our security and
privacy series. We recently did a show that talked about the CERT recommendations for home networks,
so that's aimed at the average home user. What I want to do today is go on the other side and take a
look at enterprise level issues involving insecurity. What I want to do is take a look at something
from the National Institute of Standards and Technology here in the United States,
which they call their Cybersecurity Framework. Now, National Institute of Standards and Technology
does have a number of responsibilities, but one of them certainly is information, technology,
and security, and so when they issued this Cybersecurity Framework, I thought, you know,
not a bad thing to take a look at, and I think we do have some people who are in an enterprise level
environment that would perhaps be interested in seeing what this says. Now, their cybersecurity
framework sets standards for best practices that private companies are urged to adopt,
but federal government agencies are also directed to follow these guidelines.
Now, that is not to say that they are doing so in all cases. Its actual compliance is somewhat
spotty, and that certainly in the United States at least is something that's an ongoing problem is
you can lay down rules as to what people are supposed to do, whether they'll actually do them
is another thing entirely. Now, one of the things we're going to see as we look at this,
and this explains part of the problem, I think, is that there's always a conflict between security
and ease of use that we talk about with people at the individual level. So, we talk about things
like doing firmware updates and using strong passwords and everything. That's a little more work
for people to do. When you get to the enterprise level, now you add in cost and other resources
as an issue. Achieving security at the enterprise level is not free. It is going to require you
to spend money. It's going to require you to devote person hours, staff resources,
and change your methods in some way. So, all of these things are reasons why the compliance
level is not what it should be. Now, is that a bad thing? You know, that's a question that
management has to address. Since resources are not infinite, you do need to choose priorities,
and I would be the first to admit, in my private life, I don't necessarily do every single thing
that is recommended as a security requirement, because in some cases, it's like, I don't think
it's a big deal for me, and I'll make my own decisions. So, as we go through this list of
recommendations, it's quite possible that you're not going to find many, if any, organizations
that do every single thing in this list. But it's a useful look at this one group, the NIST,
what their take is on best practices. And I think it's important because we are becoming more and
more reliant on large organizations to handle critical infrastructure, and that infrastructure is
controlled by computers, and security of those devices becomes important. I was recently reading
an interesting article about how Russia is targeting utilities, and they basically started by going
after Ukraine, but they're starting to also target utilities here in the United States, and
if tensions increase, what can they do? Well, probably nothing good. Now, if you want to take a look
at the document yourself, which you're encouraged to do, the link is going to be in the show notes
for this. Now, the key term to understanding the approach that NIST uses is something called
risk management. That does not always mean adopting strict measures. You know, conceptually,
the responses to risk are one mitigation, two insurance, or three, except the risk.
Mitigation is what we normally think of as a response to risk, but ensuring against the outcome,
or simply accepting that something may happen, can be valid responses as well. It depends on the
situation. Deciding which way to approach it usually starts with a calculation involving both
the probability of an occurrence and the cost if it happens. If a risk has a low probability of
occurring and a low cost if it does occur, it is entirely rational to just accept the risk.
Now, the organizations that are the target of this particular document are critical infrastructure,
which can be both public and private in the United States. Private organizations are encouraged to
follow these recommendations, but a presidential order in 2017 directed all federal agencies to follow
them. Now, this framework has three major components. The framework core, which defines a
common set of practices and outcomes for security, framework implementation tiers, which focuses on
risk management practices, and three, a framework profile, which lets organizations assess current
state, compare it to desired future state, and identify opportunities for improvement.
So, the first of these is the framework core, and the framework provides a common language for
understanding, managing, and expressing cybersecurity risk to internal and external stakeholders.
It can be used to help identify and prioritize actions for reducing cybersecurity risk,
and it is a tool for aligning policy, business, and technological approaches to managing that risk.
It can be used to manage cybersecurity risk across an entire organization,
or it can be focused on the delivery of critical services within an organization.
Different types of entities, including sector coordinating structures, associations,
and organizations, can use the framework for different purposes, including the creation of
common profiles. So, that paragraph is really a quote itself from the framework document,
and lays out what they're looking at here. Now, the framework core has five functions. The core
functions, number one, identify, and there are two parts of this, identification of the risks,
and identification of the resources available to deal with the risks.
Two, protect. That means to put safeguards in place to limit or contain the impact of a cybersecurity
event. Three, detect. These are activities that involve security monitoring,
detecting anomalies, and so on.
Respond. That means to take appropriate action to contain the impact of a potential cyber security
incident, and five, recover. This is the resilience part. You need to be able to restore normal
operations and capabilities as quickly as possible. Now, framework implementation tiers.
This is about the degree of sophistication in cybersecurity risk management practices.
The document states that these tiers do not represent maturity levels, but I have to admit,
I am not sure where the distinction lies, since it sure sounds to me like they are maturity levels.
If you have a better understanding of that than I do, please record a show and explain it.
I'm sure Ken would love to have more. So, tier one, partial.
At this level, risk management practices are not formalized.
Risks are managed in an ad hoc or reactive manner.
So, clearly, this is the beginning level. Cybersecurity practices are not guided by risk
objectives, the threat environment, or business requirements.
I think I still tend to see a certain number of these things going on, even in the large organization
that I work for. One of the ones that is constantly great on me is this, you must change your
password every 60 days. Why? There's never a good answer to why. It's just, well, because that's
what everyone does. So, that's an example of a practice that is not guided by risk objectives,
a threat environment, or business requirements. Now, also tier one, a limited awareness of cyber
security risk at the organizational level. And events are handled on a case-by-case basis.
I think of this when you get some company has been cracked and people have stolen a bunch of
personally identifiable information from all of the customers. And it's just, oh my God,
no one could have predicted this. It is a super sophisticated attack. And when you finally learn
what went on, it was like it was garden variety fishing. But if you don't have any awareness of
what's going on, and you don't have that awareness at the organizational level, then you're just
stumbling from one thing to the next. For tier one, information may not be shared within the
organization. Information should be shared, but maybe you have people that are involved in
turf battles. Oh my God, if I let anyone know what's going on, it'll make me look bad.
The organization will tend to view its risks in isolation and does not share information or
collaborate with other entities. It does not see itself as part of an ecosystem.
So that's not good. This is really, I think, a lot of organizations are at this level right now,
particularly a lot of private companies. Now tier two is a little bit better. This is what we
call risk informed. So for a tier two organization, there are formal risk management policies that
are approved by management. There's prioritization of cybersecurity activities, and it is informed
by organizational risk objectives and the threat environment.
Now in our past discussions of security, I frequently quoted or paraphrased Bruce Schneier
that everything starts with, identify the threat, and what is it that you want to protect yourself
against. There's no sense in using a cannon to shoot flies, but on the other hand, you don't
want to bring a squirt gun to a gunfight. So understand the environment you're operating in
and what you need to protect. Now in a risk informed tier two organization, cybersecurity
information is shared within the organization, but it's kind of informal. There is some level of
awareness of other organizations in the ecosystem, and some information sharing is going on,
but not in any formal way. So that kind of sounds a little bit like, yeah, there are chief
information security officer who went to a conference and had some drinks at the bar with a few
other CISOs, and they chatted about what's going on. It's better than nothing, but it's not a formal
process of any kind. Tier three, and that tier is what they call repeatable.
Risk management is expressed as formal policies. Cybersecurity practices are regularly updated
in response to changing business needs, a changing threat environment, and changing technology.
Now, all of those things are continually changing. So you need to change with it. Things that
probably seems perfectly valid five or ten years ago are not valid now. So you need to do your
updating, and then you also want to have an organization-wide approach to manage cybersecurity risk.
All right, look at the entire environment, and your policy should be regularly reviewed and
consistently applied. Now, a tier three organization collaborates with other organizations in the ecosystem,
upstream, downstream, and horizontally. Information is shared with all of these entities.
So, instead of having a few drinks at the bar with other security professionals,
there is a process for alerting people to security incidents, to share information,
and it's a very formal kind of a process, and that's what you want to see.
And then finally, tier four is adaptive.
And so here we're talking continuous improvement. Okay, every time there's a security incident,
you analyze what happened. You generate a lessons learned. You start to look for predictive indicators.
You have a formal organization-wide approach to managing cybersecurity risk,
and senior management monitors this just as they monitor financial risks and other organizational
risks. Okay, very important. Right now, what tends to happen is that in a lot of organizations,
the people responsible for information security are regarded in some places as an annoyance.
You know, I'm trying to get sales, and you're interfering with that with all your security,
or why should I spend all this money to secure our environment? That does not flow to the
bottom line. And a good way to fix that is with massive fines and jail terms. When your chief
executive officer is faced with the prospect of jail time, they will suddenly decide it is worthwhile
to invest in security. All right, so that would be one way to do that. Now, in this case, the
organization, if it's an adaptive tier four organization, is part of a larger community and
contributes to that community to help everyone understand the risks.
And the next thing we want to look at is the framework profile. Now, the framework profile
aligns the functions that we looked at. Remember the five functions? Identify, protect,
detect, respond, recover. Now, those have to be aligned with the business requirements,
risk tolerance, and resources. So you analyze the present state in comparison to the desired
future state and create a roadmap. And that roadmap can be developed for making improvements to
achieve that desired future state. As we say in project management, if you fail to plan, you plan
to fail. So, you know, you need to have a strategy for getting to where you're going and then
you need to execute that strategy. Now, a comparison of the current profile with the target profile
is going to reveal gaps. We call that gap analysis. And the whole purpose of gap analysis is to
identify where action needs to take place. Now, this overall approach is based on risk management.
So we do expect prioritization is going to happen here. You may identify five gaps, but are they
all of equal significance? Not necessarily, okay? You want to identify the highest priority ones
based, as we said before, on how likely they are to happen and what the cost is if they do happen.
So it's quite possible that you're going to look at this and say, well, some of these risks
we're just going to accept or we will ensure. Now, insurance is a tricky thing. I noticed there's
a big thing in the news right now about a lawsuit because a company had cyber insurance.
And they were victimized by the not-petsha attack. And that not-petsha attack
looks like it may have come from Russia. And the insurance company said, oh, acts of war,
that's excluded. We don't have to pay you anything. So insurance is a little bit tricky right now.
I assume this is going to get sorted out at some point, but I'm not sure I want to rely 100%
on insurance to protect me. So how do we use this framework? Okay, there's a number of things
that we can recommend here. Number one, do a basic review of your cyber security practices.
So compare your practices with those in the framework core and you're going to identify areas for
improvement. Establish or improve your cyber security program. And the number of elements of that
prioritize and scope. Okay, assess your business objectives. What are your organizational priorities?
Figure out what it is you need to do. Then orient, identify related systems and assets,
regulatory requirements, and the overall risk approach.
Create a current profile. Where are we right now? What's our starting point?
Conduct or risk assessment. Analyze both the probability and cost of possible cyber security events.
And you really want to do both of those, both the probability and the cost. You multiply those two
things together and you get what in mathematics is called expected value. You don't want to spend
a million dollars to protect yourself against something with an expected cost of a thousand dollars.
That's stupid. Create your target profile. Where do you want to be in the future based on
your priorities and your risk assessment? Where do we want to be?
Then determine, analyze, and prioritize the gaps. Create that plan. Where are we now? Where do we
want to be? And then implement it. And that's important. I came out of a planning meeting the
other day with upper management and we were on a project. They had kind of laid down, you know,
here's what we want you to do. And we came up with a plan that said, well, if you can help us do
ABC and D, we think we can get there. And they said, fine, we will help you get ABC and D. So
walking out, I said to one of my colleagues, now we just got to execute the plan. You know,
very important part there. Then repeat these steps. This should be a process of continuous
improvement. And that is so important. And you know, if you're working in an environment where
you're doing agile programming, you're a large part of the way they're already. But you want to
continually assess, you know, every time you do something, where are we? Okay. So you started with
a current profile. Then you go through a round of improvements. That current profile no longer
represents where you are. Well, where are we now? Have we gotten to where our target was?
And if we did, is that still where the target needs to be? Because you're in an environment where
threats are changing continuously, you need to be thinking continuous improvement.
Now, one of the things that's important is the communication. So you want to be able to
communicate with the stakeholders, particularly management. So a current profile is one useful thing
to communicate to management, to say, you know, here's where we are. And then bring in your target
profile. So if you can get management buy in, and then that becomes the basis for requirements
documents for dealing with your business partners, like your suppliers, you know, for large
organizations, supply chain risk management is now a critical organizational function.
Target profiles can also help align activities within an organization.
That's also going to help your buying decisions. All right. Your purchasing decisions should reflect
where it is you want to be. What's your target profile is saying? So you want to buy things that
are going to help advance you towards that. And if you currently are buying things that don't
advance you, then, you know, take a look at that. Maybe that's not what you should be buying anymore.
You should identify opportunities for new or revised information references.
For example, your organization has identified a priority for action, but it finds few or inadequate
informational references. Well, you know, that may mean this is something that has not been well
developed yet. Well, you could just say, gee, that's a damn shame, but what's even better is
collaborate with other organizations in your ecosystem and start developing those things.
You need a methodology to protect privacy and civil liberties. Now, this is an area where,
for instance, the European Union, I think, has been doing a much better job than the United States
government. You know, your cybersecurity may involve collecting information from individuals.
And then, you know, in the European Union, you got the GDPR, just one example, and I don't
think that's the end of the process by a long shot. So what you need to do is start developing
formal policies to protect privacy and guard the information from your customers.
And take a look at what your legal requirements are in that respect as well. And, you know,
I think a lot of American companies that are suddenly finding themselves subject to this kind
of regulation, it's kind of a shock because, you know, they succeeded in getting the American
government to be hands off. Well, you know, what I'm reading right now is the American Congress
is starting to wake up as well and say, hey, you know, the days of letting you guys run wild are
over, we need to rein this in now. So that was basically the framework that NIST put together
for cybersecurity at the organizational level. And so the idea is not so much to lay down specific
regulations, but to create a framework for self improvement and self assessment. It's more
of a process than anything. So for every organization, they're going to have to figure out what
works in their environment with their particular risk profile with their particular goals.
So you use the framework as a way of moving towards where you need to be.
And that's not a bad thing, I don't think. So what I'm going to do is this went on a little bit
longer than most of mine. So I'm going to sign off now and remind you as always to support free
software. Bye-bye.
You've been listening to HECCA Public Radio at HECCA Public Radio.org. We are a community podcast
network that releases shows every weekday Monday through Friday. Today's show, like all our shows,
was contributed by an HBR listener like yourself. If you ever thought of recording a podcast and
click on our contributing to find out how easy it really is. HECCA Public Radio was found
by the digital dog pound and the infonomican computer club and is part of the binary revolution
at binwreff.com. If you have comments on today's show, please email the host directly, leave a
comment on the website or record a follow-up episode yourself. Unless otherwise status, today's show
is released on the create of comments, attribution, share a like, 3.0 license.