1 SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
2 SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT Every company is constantly under attack. If anybody tells you they re not, it just means they don t know. It is a threat that is broad-based. It s not just from one source... and it s just unceasing. 1. Wes Bush, Northrup Grumman, Chief Executive Healthcare Security Solutions: Protecting Your Organization, Patients, And Information
3 3 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com The Increasing Threat to Critical Infrastructure Attacks on sensitive IT systems and data increased during 2013, many of which caused substantial financial and reputational damage to the companies involved. Still, a successful attack on the underpinnings of the nation s critical infrastructure would have far more catastrophic impacts than this. The NIST Framework for Cybersecurity for Critical Infrastructure was approved in Feb, 2014, and is intended to help establish guidelines and best practices for ensuring that our critical systems are adequately protected. Although it is a voluntary framework, it is expected that it will be adopted by many companies in order to strengthen their security posture. An emphasis on flexibility The NIST Framework was designed with a very high degree of flexibility for organizations that would like to follow its guidelines. It is also technology-neutral, and incorporates existing industry standards and best practices no re-inventing the wheel. Most importantly, it enables each organization to profile its own cybersecurity efforts, define a target profile, and then put in place a plan to reach that goal. In this regard, its guidelines should be considered not as requirements but as scorecards that are based on the unique business needs, risk appetite, and security demands for each environment and provide a guide for continuous improvement based on changing risk and threat dynamics. What is critical infrastructure? When one thinks about the nation s critical infrastructure, we usually think of the grid, water supplies, national defense, and the like. But, the Framework makes clear that critical infrastructure is an expansive concept that includes many systems that aren t generally thought of in this context, such as: commercial facilities; communications; critical manufacturing; dams; defense industrial; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; materials; and transportation systems. This makes it clear that a large number and wide variety of public and private organizations will be impacted by the Framework.
4 4 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com Overview of the Framework The Framework consists of three major elements: Framework Core A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. Framework implementation tiers Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework. There are four tiers that can be used to identify the current state of your cybersecurity effort. These tiers and their brief characteristics include: Tier 1 (Partial): Informal cybersecurity risk management practices, ad hoc and reactive approach to risk management Tier 2 (Risk-Informed): Management-approved risk management processes, awareness of risk at organizational level, but lack of organization-wide approach Tier 3 (Repeatable): Risk management processes expressed as policy, organization-wide approach to manage cybersecurity risk, risk-informed policies, processes and procedures Tier 4 (Adaptive): Adaptable cybersecurity practices based on lessons learned and predictive indicators, continuous improvement incorporating advanced technologies and practices, active sharing of information with partners both before and after cybersecurity events Framework profile Describes outcomes based on the business need and risk assessment that the organization has selected from the Core. This information enables you to identify opportunities for improving cybersecurity by moving from current state to target state. To develop a Profile, an organization can review all the Categories and SubCategories and, based on business drivers and a risk assessment, determine which are most important. The Current Profile can then be used so support prioritization and measurement of progress towards the Target Profile. It can also be used to support communication within the organization. The Framework Core a little more detail The Core consists of functions, categories, sub-categories, and related industry standards. But, note that the Core does not represent a set of actions to perform - rather it defines outcomes that are helpful in improving cybersecurity. The functions included in the Core include: Identify develop the organizational understanding to manage cybersecurity risk to systems, applications, and data Protect implement safeguards to ensure the secure delivery of infrastructure services Detect implement the appropriate activities to identify a cybersecurity event Respond implement the appropriate activities to take action on a cybersecurity event Recover maintain plans for resilience and to restore any services impacted by a cybersecurity event. These Core functions serve to help the organization classify and evaluate their cybersecurity activities, enhance their risk management programs, and track progress of efforts to move from one level of security maturity to a higher level. In this regard, they are an excellent unifying model for your cybersecurity programs.
5 5 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com How to Use the Framework to Improve Cybersecurity The Framework is not intended to replace your existing security processes. Rather, it is intended to complement them, and to help you develop a profile of your current security state, as well as identify your desired state of security, based on the guidelines in the Framework. This approach will enable you to develop an action plan for improving your cybersecurity profile, consistent with your business needs, risk appetite and available resources. A simplified approach to leveraging the Framework is as follows: Prioritize and scope Determine your business priorities and scope your critical business systems that support these priorities and objectives. Identify your regulatory requirements and risk appetite, and identify areas of vulnerabilities and threats. Create a current cybersecurity profile Using the Framework, identify areas where your processes meet your business needs, and those that need strengthening. Conduct a security risk assessment Determine the likelihood of a cybersecurity event, and the impact that it would have on your organization, as well as include your appetite for ongoing risk. Create a target profile Given your current profile and risk appetite, what areas need improvement? Determine where you would like to be in terms of the Framework profiles, and what your time frame is. Determine gaps What areas need strengthening for you to arrive at your desired target profile? Identify these areas, analyze them, and prioritize their implementation. Identity resources required to evolve each area of your profile to the desired state. Finalize an action plan Based on your priorities and required resources, lay out a path to reach your target profile. The top security threats of 2013 were social engineering, advanced persistent threats, and insider threat. 2
6 6 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com CA Security and the NIST Framework Of the functions described above, the one most relevant to protection of systems and data is the Protect function. The Protect categories describe outcomes relating to protecting systems and data from a variety of threats, both internal and external. It also includes procedural topics such as awareness, training, and management of technology assets requirements that do not require a security solution. The categories of the Protect function, and the name of any CA Technologies security solution that can help with compliance for each category, is as follows: Function ID Category Primary Product Secondary Product Protect PR.AC Access Control CA Privileged Identity Manager PR.AT Awareness & Training Not relevant to CA Solutions PR.DS Data Security CA Privileged Identity Manager CA API Mgt & Security CA Data Protection PR.IP Info Protection Processes Not relevent to CA Solutions PR.MA Maintenance CA Privileged Identity Manager PR.PT Protective Technology CA Privileged Identity Manager CA SSO CA API Mgt & Security CA Identity Manager CA Identity Governance CA Advanced Authentication
7 7 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com Let s look in more detail at how CA solutions can help an organization achieve outcomes that conform to these requirements. Critical capabilities for Framework compliance are bolded. Category: Access Control PR.AC-1: Identities and credentials are managed for authorized devices and users PR.AC-2: Physical access to assets is managed and protected PR.AC-3: Remote access is managed PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate CA Privileged Identity Manager manages and secures privileged identities. It can restrict access to systems and accounts (including shared accounts) to only authorized users. Access to accounts is managed by CA Shared Account Management. Not relevant to CA Security solutions CA Privileged Identity Manager manages remote connections to systems and devices. Host-based access controls can restrict remote connections according to criteria including IP address. It can also restrict remote connections to ensure they come from the proxy server. CA Privileged Identity Manager provides fine-grained access controls that can ensure separation of duties and least-privilege access. It does this at the OS kernel level, making it the most secure access control implementation. CA Shared Account Management provides both least privilege access and separation of duties by controlling who has access to shared, privileged accounts. The CA Identity Suite also help ensure proper access rights thru automation of access certifications and role-based provisioning processes. CA Privileged Identity Manager can restrict inbound and outbound connections to systems and devices to specific IP addresses, helping to preserve network integrity. Category: Data Security PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-4: Adequate capacity to ensure availability is maintained PR.DS-5: Protections against data leaks are implemented PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment The CA Solution can protect specific files and folders, so it can protect Data-atrest. Access to protected resources can be denied to even the superuser. CA API Management & Security secures data-in-transit through protocol-, message-, and field-level confidentiality, integrity operations, and availability protection. Not relevant to CA Security solutions Not relevant to CA Security solutions CA Data Protection can discover, classify, and protect sensitive info against disclosure, theft, improper actions ( , USB device, etc) The CA API Suite can protect against common data extraction threats, validate request/response data schemas, and filter message content in transit CA Privileged Identity Manager provides a Trusted Program Execution capability that can ensure that programs have not been modified before execution. Not relevant to CA Security solutions
8 8 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com Category: Maintenance PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access CA Privileged Identity Manager can manage and monitor maintenance sessions on critical systems and devices. It can control access to the identities used to provide maintenance, restrict that access to follow the principle of least privilege, and log all user actions. Break Glass functionality can enable emergency maintenance. It can manage and also monitor remote maintenance of systems and devices. Category: Protective Technology PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy PR.PT-2: Removable media is protected and its use restricted according to policy PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality PR.PT-4: Communications and control networks are protected It can log all actions taken by users, including administrators. It can track actions performed using shared accounts to individuals. The CA Solution can prevent execution of any executable that is identified as non-essential. It also provides fine-grained access controls to systems and assets on them to protect against unauthorized access CA SSO centrally controls access to Web apps from all devices CA Identity Suite helps ensure correct access entitlements for all users. Role discovery, provisioning, and automated access certification help ensure correct access rights. CA API secures access to service interfaces from all devices and applications CA Advanced Authentication enables risk-based, strong authentication of users, to protect against stolen credentials, or brute force authentication attempts. Not relevant to CA Security solutions
9 9 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE ca.com Summary of Key Security Capabilities In order to conform to the guidelines of the Protect function, the following capabilities are very important: Key Capability Description Benefit Shared Account Password Management Fine-Grained Access Controls User Activity Reporting / Video Session Recording End-to-End Encryption API Management & Security Strong, Risk-based Authentication Control access to privileged, administrative accounts with password storage and automatic login capabilities. Control what access privileged users have based on their individual identity, even when using a shared administrative account. Records all user actions, tracking all records by individual, even when a shared account is used. Protect all data-in-transit through data encryption. Control access to APIs based on identity and access rights. Combat data extraction and other attacks. Enable strong, multi-factor authentication, with risk analysis based on contextual factors. Reduces the risk of unauthorized users gaining access to privileged accounts. Prevents password sharing. Reduces risk by providing administrators with only the minimum privileges they need to do their jobs. Makes it simple to find out who did what in a forensic investigation Improved security and confidentiality of data Protect against external, targeted attacks and data leaks. Improve security for all users, combat identity theft and stolen credential attacks. Insider fraud is a common occurrence. On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months. 3 The Ponemon Institute
10 10 SOLUTION BRIEF: NIST FRAMEWORK FOR CYBERSECURITY FOR CRITICAL INFRASTRUCTURE Taking the next step The NIST Framework could potentially have a substantial impact on the cybersecurity activities of a large number of organizations, both public and private, over the next year. Even if an organization does not attempt formal compliance with the entire Framework, many companies will attempt to evolve their cybersecurity capabilities to become more aligned with the guidelines included within it. And, this adoption is likely to be global in scope, due to the importance of protecting critical infrastructure, and the flexibility enabled by the Framework. Getting a head start on compliance with the Framework is also an important consideration. All it takes is one successful attack on critical infrastructure to have a profound impact not only on the organization, but also possibly on thousands or millions of unsuspecting users of that infrastructure. Avoiding a disastrous situation like this, and establishing a track record of protecting customer information from loss, will help to increase customer confidence in the security capabilities of your organization. Customer confidence creates loyalty. CA Technologies is proud to have played a consultative role in the creation of this Framework. CA Security solutions can be used effectively to strengthen your cybersecurity profile in order to help meet the requirements of this Framework. Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. 1 Wes Bush, Northrup Grumman Chief Executive The Ponemon Institute, The Risk of Insider Fraud: Second Annual Study. February 2013 Copyright CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein. CS _1014