Compliance series Guide to the NIST Cybersecurity Framework



Similar documents
Compliance series Guide to meeting requirements of USGCB

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

Host-based Protection for ATM's

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Regulatory Compliance and Least Privilege Security

Critical Manufacturing Cybersecurity Framework Implementation Guidance

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Cybersecurity Framework Security Policy Mapping Table

Are You Ready for PCI 3.1?

Cybersecurity: What CFO s Need to Know

Cybersecurity The role of Internal Audit

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Applying IBM Security solutions to the NIST Cybersecurity Framework

Chapter 1: Your relationship with risk

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Chapter 2: The hidden flaws in Windows

NIST Cybersecurity White Paper

The True Story of Data-At-Rest Encryption & the Cloud

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Securing the Microsoft Cloud

Enterprise Security Tactical Plan

Intelligent Security Design, Development and Acquisition

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Risk Management in Practice A Guide for the Electric Sector

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Least Privilege in the Data Center

Understanding the NIST Cybersecurity Framework September 30, 2014

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

PROTIVITI FLASH REPORT

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Happy First Anniversary NIST Cybersecurity Framework:

Automation Suite for NIST Cyber Security Framework

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

HITRUST Common Security Framework Summary of Changes

CONCEPTS IN CYBER SECURITY

Stay ahead of insiderthreats with predictive,intelligent security

Securing OS Legacy Systems Alexander Rau

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

DriveLock and Windows 8

Teradata and Protegrity High-Value Protection for High-Value Data

Information Security Services

Cyber Security Management

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

How to Use Windows Firewall With User Account Control (UAC)

Defending Against Data Beaches: Internal Controls for Cybersecurity

Applying the Principle of Least Privilege to Windows 7

Seven Things To Consider When Evaluating Privileged Account Security Solutions

CRR-NIST CSF Crosswalk 1

Paul Vlissidis Group Technical Director NCC Group plc

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

PCI Data Security Standards (DSS)

BYOD Guidance: Good Technology

5 Steps to Advanced Threat Protection

Pragmatic Metrics for Building Security Dashboards

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework What It Means for Energy Companies

Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

Best Practices for Privileged User PIV Authentication

Cisco Advanced Malware Protection for Endpoints

Framework for Improving Critical Infrastructure Cybersecurity

Sygate Secure Enterprise and Alcatel

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Healthcare s Model Approach to Critical Infrastructure Cybersecurity

How To Manage Cybersecurity In Healthcare

The NIST Cybersecurity Framework

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Data Sheet: Messaging Security Symantec Brightmail Gateway Award-winning messaging security for inbound protection and outbound control

KEY STEPS FOLLOWING A DATA BREACH

Leveraging SANS and NIST to Evaluate New Security Tools

Cybersecurity Awareness. Part 1

Top Ten Technology Risks Facing Colleges and Universities

MEDICAL DEVICE Cybersecurity.

I ve been breached! Now what?

Managing cyber risks with insurance

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Framework for Improving Critical Infrastructure Cybersecurity

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Information Security and Risk Management

IBM Security Strategy

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

FFIEC Cybersecurity Assessment Tool

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Psychology of (In)Security

Transcription:

Compliance series Guide to the NIST Cybersecurity Framework avecto.com

In this paper, Avecto looks at the role least privilege security and application control play in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), a voluntary standard for public and private industry sectors supporting critical infrastructure, helping organizations improve security and comply with common regulatory standards. The NIST Cybersecurity Framework was created on a White House directive in 2013, and according to Gartner, while intended as a voluntary code, has been adopted by 30% of public and private enterprises in the US. CSF differs from many other regulatory codes in that rather than providing a checklist of security controls, it is a riskbased approach where organizations must evaluate their risk position and implement controls as appropriate. While intended as a voluntary code, [NIST] has been adopted by 30% of public and private enterprises in the US. Gartner 1 Framework overview The CSF does not replace existing security programs or risk management processes but is intended to improve processes to allow organizations to describe their present security posture, target state, assess progress towards achieving a new state and communicate about cybersecurity risk to stakeholders. The CSF consists of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core contains a list of cybersecurity activities, anticipated results, and related references to industry standards and guidelines that can be used to achieve the desired results. Five functions are used to provide an overview of an organization s cybersecurity risk profile: Identify, Protect, Detect, Respond, and Recover. These functions are then further subdivided into categories and subcategories that relate to Informative References giving further information about industry standards and best practice guidelines. 1 Source: http://www.nist.gov/itl/acd/cybersecurity-rosetta-stonecelebrates-two-years-of-success.cfm avecto.com 2

Framework Implementation Tiers, which range from Partial (Tier 1) to Adaptive (Tier 4), are used to categorize an organization s cybersecurity practices, with Tier 4 describing a cybersecurity posture where an agile and risk-informed approach to security has been adopted. Framework Profiles define an overview of an organization s current or target cybersecurity position. Profiles are developed by reviewing all the categories and subcategories of Framework Core Functions, and can then be used to help move the current cybersecurity posture forwards to achieve a target state, as defined in a Target State Profile. Access permissions are managed, incorporating the principles of least privilege and separation of duties. CSF section PR.AC-4 CSF and privilege management While the CSF doesn t provide a list of checkbox security controls, the Framework Core includes technical requirements that can be best achieved using a Privilege Management solution. This paper focuses on the Framework Core access control requirements relating to privilege management and application control. Access control The use of principles of least privilege is directly referenced in the CSF s access control requirements (section PR.AC-4) as part of the Protect function. A key factor in achieving least privilege is the removal of administrative rights from users. It s always been possible to run without administrative privileges in Windows, but standard user accounts faced restrictions that often made it impractical to perform everyday tasks, such as installing software or changing system settings. Because of the difficulties traditionally associated with servicing PCs where users run without administrative privileges, many organizations choose not to deploy standard user accounts. But with a privilege management solution and improvements in Windows, standard users can do more without requiring intervention from IT. avecto.com 3

User Account Control Windows Vista introduced User Account Control (UAC), a set of technologies that allows consumers to run with standard user rights most of the time but elevate to administrative privileges as required. As part of the work undertaken with UAC, common tasks, such as changing the time zone or installing devices with signed drivers, can be performed by standard users in Windows 7. However, unlike a third-party privilege management solution, UAC doesn t give organizations the ability to control which processes users are able to elevate, customize dialog message boxes, or prevent users from running unauthorized software with elevated privileges. The Framework has established a meaningful way for Microsoft to discuss, assess, and refine our cybersecurity risk management maturity. J. Paul Nicholas, Microsoft Senior Director of Global Security Strategy and Diplomacy Privilege management Privilege management products let IT define which processes users can elevate, ensuring systems are secure but still flexible to use. And unlike UAC, can assign the minimum number of privileges to processes and applications while leaving users with restricted access tokens. Advanced features of privilege management products go further by allowing users to quickly and easily elevate processes, even when a policy hasn t been defined by IT, using a challenge/response system where IT provides the user with an authorization code. Such capabilities are important for supporting notebook users when they have no connection to the intranet. Section PR.AT-2 states it should be the case that privileged users understand roles & responsibilities. A privilege management solution can be configured to allow users to elevate processes on request but also require that they justify their actions by providing a reason that s logged, increasing the likelihood that users take responsibility for activities performed using elevated privileges. avecto.com 4

Protective technology and data security Application control (section PR.PT-3) is also an important layer in an organization s security defenses. While removing administrative privileges from users is a critical step, preventing users from executing code obtained from untrusted sources is also central in protecting system integrity and sensitive data. 32% IT professionals are using application whitelisting techniques. Computing.co.uk, March 2016 1 Application control allows IT to determine which applications and processes users are allowed to run, using a whitelist to block anything that s not approved. Third-party Application control solutions improve on Windows Software Restriction Policies and AppLocker by integrating with other security products, making it easier to create and apply rules. In addition to the requirements relating directly to least privilege security, there are others that indirectly rely on least privilege if they are to be implemented effectively. Protections against data leaks (section PR.DS-5) could involve using specialist data loss prevention (DLP) solutions designed to prevent company data from being intentionally stolen by employees or malicious actors. But restricting users privileges significantly reduces the risk of a hacker being able to install software that could be used to steal credentials or sensitive data without the logged in user s knowledge. Baseline configurations (section PR.IP-1) can be preserved for longer periods when administrative rights are removed from users because system-level settings can only be changed by an authorized member of IT staff, or by a user on request. Furthermore, security and configuration settings applied using Group Policy can be circumvented by administrative users. Application control also plays a role in maintaining baseline configurations by ensuring only the software approved for each build can be installed and run. 1 Source: http://www.computing.co.uk/ctg/news/2452094/ninety-seven-per-cent-ofit-professionals-think-standard-antivirus-software-will-stop-zero-day-attacks avecto.com 5

Sandboxing In the knowledge that there is no such thing as 100% secure, isolating content in a sandbox allows organizations to protect data in cases where zero-day vulnerabilities may exist in installed products. While privilege management and application control can provide better protection than definition-based AV, sandboxing adds an additional layer of defense that isolates malicious code from other applications and user data. When used together, least privilege, application whitelisting and content isolation solutions allow organizations to benefit from more secure and reliable systems where users and malicious actors aren t able to make unauthorized system-level changes, or run malicious code, that might lead to a compromise or instability. But, at the same time, users can work without relying on IT to perform tasks that require administrative privileges. Less than 50% of respondents use standard tools such as patching and configuration to help prevent security breaches. Cisco, 2015 2 1 Source: Cisco Annual Security Report 2015 avecto.com 6

About Avecto Avecto is an innovator in endpoint security. Founded in 2008, the company was established to challenge the status quo that effective security leads to user lockdown. This philosophy of security + freedom promotes a positive user experience across every software implementation, allowing organizations to strike just the right balance. UK 2014 Its unique Defendpoint software makes prevention possible, integrating three proactive technologies to stop malware at the endpoint. This innovative software has been implemented at many of the world s most recognizable brands, with over 8 million licenses deployed. Attention to detail is paramount, with a team of qualified and experienced technology consultants to guide clients through a robust implementation methodology. This consultative approach provides clients with a clearly mapped journey against measurable objectives to ensure project success. The company has placed in the top four of the Deloitte Fast 50 for the last two consecutive years, making it one of the UK s fastest growing software companies as well on the global stage. USA / UK / Germany / Australia avecto.com / info@avecto.com avecto.com 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information