Cybersecurity risk management : mastering the fundamentals using the NIST cybersecurity framework /
"The National Institute of Standards and Technology (NIST), located in Gaithersburg, MD, is a U.S. Department of Commerce division. It is assigned the job of promoting innovation and industrial competitiveness. It is a research organization filled with some of the world's leading scientist...
Main Authors: | , |
---|---|
Format: | Book |
Language: | English |
Published: |
Hoboken, NJ :
John Wiley & Sons, Inc.,
2022
Hoboken, New Jersey : [2022] |
Subjects: |
Table of Contents:
- Academic Foreword xiii
- Acknowledgments xv
- Preface – Overview of the NIST Framework xvii
- Background on the Framework xviii
- Framework Based on Risk Management xix
- The Framework Core xix
- Framework Implementation Tiers xxi
- Framework Profile xxii
- Other Aspects of the Framework Document xxiii
- Recent Developments At Nist xxiii
- Chapter 1 Cybersecurity Risk Planning and Management 1
- Introduction 2
- I. What Is Cybersecurity Risk Management? 2
- A. Risk Management Is a Process 3
- II. Asset Management 4
- A. Inventory Every Physical Device and System You Have and Keep the Inventory Updated 5
- B. Inventory Every Software Platform and Application You Use and Keep the Inventory Updated 9
- C. Prioritize Every Device, Software Platform, and Application Based on Importance 10
- D. Establish Personnel Security Requirements Including Third-Party Stakeholders 11
- III. Governance 13
- A. Make Sure You Educate Management about Risks 13
- IV. Risk Assessment and Management 15
- A. Know Where You’re Vulnerable 15
- B. Identify the Threats You Face, Both Internally and Externally 16
- C. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to Assets 17
- D. Develop Plans for Dealing with the Highest Risks 18
- Summary 20
- Chapter Quiz 20
- Essential Reading on Cybersecurity Risk Management 22
- Chapter 2 User and Network Infrastructure Planning and Management 23
- I. Introduction 24
- II. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the Road 24
- A. Identity Management, Authentication, and Access Control 25
- 1. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted 27
- 2. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems 28
- 3. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems 28
- 4. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task 29
- 5. Implement Network Security Controls on All Internal Communications, Denying Communications among Various Segments Where Necessary 31
- A Word about Firewalls 31
- 6. Associate Activities with a Real Person or a Single Specific Entity 32
- 7. Use Single- or Multi-Factor Authentication Based on the Risk Involved in the Interaction 33
- III. Awareness and Training 34
- A. Make Sure That Privileged Users and Security Personnel Understand Their Roles and Responsibilities 35
- IV. Data Security 35
- A. Protect the Integrity of Active and Archived Databases 35
- B. Protect the Confidentiality and Integrity of Corporate Data Once It Leaves Internal Networks 36
- C. Assure That Information Can Only Be Accessed by Those Authorized to Do So and Protect Hardware and Storage Media 37
- D. Keep Your Development and Testing Environments Separate from Your Production Environment 38
- E. Implement Checking Mechanisms to Verify Hardware Integrity 39
- V. Information Protection Processes and Procedures 39
- A. Create a Baseline of IT and OT Systems 40
- B. Manage System Configuration Changes in a Careful, Methodical Way 41
- A Word about Patch Management 42
- C. Perform Frequent Backups and Test Your Backup Systems Often 43
- D. Create a Plan That Focuses on Ensuring That Assets and Personnel Will Be Able to Continue to Function in the Event of a Crippling Attack or Disaster 43
- VI. Mainte nance 44
- A. Perform Maintenance and Repair of Assets and Log Activities Promptly 45
- B. Develop Criteria for Authorizing, Monitoring, and Controlling All Maintenance and Diagnostic Activities for Third Parties 45
- VII. Protective Technology 46
- A. Restrict the Use of Certain Types of Media On Your Systems 46
- B. Wherever Possible, Limit Functionality to a Single Function Per Device (Least Functionality) 47
- C. Implement Mechanisms to Achieve Resilience on Shared Infrastructure 48
- Summary 49
- Chapter Quiz 50
- Essential Reading on Network Management 51
- Chapter 3 Tools and Techniques for Detecting Cyber Incidents 53
- Introduction 54
- What Is an Incident? 55
- I. Detect 56
- A. Anomalies and Events 56
- 1. Establish Baseline Data for Normal, Regular Traffic Activity and Standard Configuration for Network Devices 57
- 2. Monitor Systems with Intrusion Detection Systems and Establish a Way of Sending and Receiving Notifications of Detected Events; Establish a Means of Verifying, Assessing, and Tracking the Source of Anomalies 58
- A Word about Antivirus Software 60
- 3. Deploy One or More Centralized Log File Monitors and Configure Logging Devices throughout the Organization to Send Data Back to the Centralized Log Monitor 61
- 4. Determine the Impact of Events Both Before and After they Occur 61
- 5. Develop a Threshold for How Many Times an Event Can Occur Before You Take Action 62
- B. Continuous Monitoring 62
- 1. Develop Strategies for Detecting Breaches as Soon as Possible, Emphasizing Continuous Surveillance of Systems through Network Monitoring 63
- 2. Ensure That Appropriate Access to the Physical Environment Is Monitored, Most Likely through Electronic Monitoring or Alarm Systems 64
- 3. Monitor Employee Behavior in Terms of Both Physical and Electronic Access to Detect Unauthorized Access 65
- 4. Develop a System for Ensuring That Software Is Free of Malicious Code through Software Code Inspection and Vulnerability Assessments 65
- 5. Monitor Mobile Code Applications (e.g., Java Applets) for Malicious Activity by Authenticating the Codes’ Origins, Verifying their Integrity, and Limiting the Actions they Can Perform 66
- 6. Evaluate a Provider’s Internal and External Controls’ Adequacy and Ensure they Develop and Adhere to Appropriate Policies, Procedures, and Standards; Consider the Results of Internal and External Audits 66
- 7. Monitor Employee Activity for Security Purposes and Assess When Unauthorized Access Occurs 67
- 8. Use Vulnerability Scanning Tools to Find Your Organization’s Weaknesses 68
- C. Detection Processes 68
- 1. Establish a Clear Delineation between Network and Security Detection, with the Networking Group and the Security Group Having Distinct and Different Responsibilities 69
- 2. Create a Formal Detection Oversight and Control Management Function; Define Leadership for a Security Review, Operational Roles, and a Formal Organizational Plan; Train Reviewers to Perform Their Duties Correctly and Implement the Review Process 70
- 3. Test Detection Processes Either Manually or in an Automated Fashion in Conformance with the Organization’s Risk Assessment 71
- 4. Inform Relevant Personnel Who Must Use Data or Network Security Information about What Is Happening and Otherwise Facilitate Organizational Communication 71
- 5. Document the Process for Event Detection to Improve the Organization’s Detection Systems 72
- Summary 72
- Chapter Quiz 73
- Essential Reading for Tools and Techniques for Detecting a Cyberattack 74
- Chapter 4 Developing a Continuity of Operations Plan 75
- Introduction 77
- A. One Size Does Not Fit All 77
- I. Response 77
- A. Develop an Executable Response Plan 79
- B. Understand the Importance of Communications in Incident Response 80
- C. Prepare for Corporate-Wide Involvement During Some Cybersecurity Attacks 81
- II. Analysis 82
- A. Examine Your Intrusion Detection System in Analyzing an Incident 82
- B. Understand the Impact of the Event 83
- C. Gather and Preserve Evidence 84
- D. Prioritize the Treatment of the Incident Consistent with Your Response Plan 84
- E. Establish Processes for Handling Vulnerability Disclosures 85
- III. Mitigation 86
- A. Take Steps to Contain the Incident 86
- B. Decrease the Threat Level by Eliminating or Intercepting the Adversary as Soon as the Incident Occurs 87
- C. Mitigate Vulnerabilities or Designate Them as Accepted Risk 88
- IV. Recover 88
- A. Recovery Plan Is Executed During or After a Cybersecurity Incident 89
- B. Update Recovery Procedures Based on New Information as Recovery Gets Underway 91
- C. Develop Relationships with Media to Accurately Disseminate Information and Engage in Reputational Damage Limitation 92
- Summary 92
- Chapter Quiz 93
- Essential Reading for Developing a Continuity of Operations Plan 94
- Chapter 5 Supply Chain Risk Management 95
- Introduction 96
- I. NIST Special Publication 800-161 96
- II. Software Bill of Materials 97
- III. NIST Revised Framework Incorporates Major Supply Chain Category 98
- A. Identify, Establish, and Assess Cyber Supply Chain Risk Management Processes and Gain Stakeholder Agreement 98
- B. Identify, Prioritize, and Assess Suppliers and Third-Party Partners of Suppliers 99
- C. Develop Contracts with Suppliers and Third-Party Partners to Address Your Organization’s Supply Chain Risk Management Goals 100
- D. Routinely Assess Suppliers and Third-Party Partners Using Audits, Test Results, and Other Forms of Evaluation 101
- E. Test to Make Sure Your Suppliers and Third-Party Providers Can Respond to and Recover from Service Disruption 102
- Summary 103
- Chapter Quiz 103
- Essential Reading for Supply Chain Risk Management 104
- Chapter 6 Manufacturing and Industrial Control Systems Security 105
- Essential Reading on Manufacturing and Industrial Control Security 110
- Appendix A: Helpful Advice for Small Organizations
- Seeking to Implement Some of the Book’s Recommendations 111
- Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1 113
- Answers to Chapter Quizzes 121
- Index 131
- Intro
- Title page
- Copyright
- Dedication
- Academic Foreword
- Acknowledgments
- Preface - Overview of the NIST Framework
- Background on the Framework
- Framework Based on Risk Management
- The Framework Core
- Framework Implementation Tiers
- Framework Profile
- Other Aspects of the Framework Document
- Recent Developments At Nist
- CHAPTER 1 Cybersecurity Risk Planning and Management
- Introduction
- I. What Is Cybersecurity Risk Management?
- A. Risk Management Is a Process
- II. Asset Management
- A. Inventory Every Physical Device and System You Have and Keep the Inventory Updated
- B. Inventory Every Software Platform and Application You Use and Keep the Inventory Updated
- C. Prioritize Every Device, Software Platform, and Application Based on Importance
- D. Establish Personnel Security Requirements Including Third-Party Stakeholders
- III. Governance
- A. Make Sure You Educate Management about Risks
- IV. Risk Assessment and Management
- A. Know Where You're Vulnerable
- B. Identify the Threats You Face, Both Internally and Externally
- C. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to Assets
- D. Develop Plans for Dealing with the Highest Risks
- Summary
- Chapter Quiz
- Essential Reading on Cybersecurity Risk Management
- CHAPTER 2 User and Network Infrastructure Planning and Management
- I. Introduction
- II. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the Road
- A. Identity Management, Authentication, and Access Control
- 1. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted
- 2. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems
- 3. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems
- 4. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task
- 5. Implement Network Security Controls on All Internal Communications, Denying Communications among Various Segments Where Necessary
- A Word about Firewalls
- 6. Associate Activities with a Real Person or a Single Specific Entity
- 7. Use Single- or Multi-Factor Authentication Based on the Risk Involved in the Interaction
- III. Awareness and Training
- A. Make Sure That Privileged Users and Security Personnel Understand Their Roles and Responsibilities
- IV. Data Security
- A. Protect the Integrity of Active and Archived Databases
- B. Protect the Confidentiality and Integrity of Corporate Data Once It Leaves Internal Networks
- C. Assure That Information Can Only Be Accessed by Those Authorized to Do So and Protect Hardware and Storage Media
- D. Keep Your Development and Testing Environments Separate from Your Production Environment
- E. Implement Checking Mechanisms to Verify Hardware Integrity
- V. Information Protection Processes and Procedures
- A. Create a Baseline of IT and OT Systems
- B. Manage System Configuration Changes in a Careful, Methodical Way
- A Word about Patch Management
- C. Perform Frequent Backups and Test Your Backup Systems Often
- D. Create a Plan That Focuses on Ensuring That Assets and Personnel Will Be Able to Continue to Function in the Event of a Crippling Attack or Disaster
- VI. Maintenance
- A. Perform Maintenance and Repair of Assets and Log Activities Promptly
- B. Develop Criteria for Authorizing, Monitoring, and Controlling All Maintenance and Diagnostic Activities for Third Parties
- VII. Protective Technology
- 6. Evaluate a Provider' s Internal and External Controls' Adequacy and Ensure they Develop and Adhere to Appropriate Policies, Procedures, and Standards
- Consider the Results of Internal and External Audits
- 7. Monitor Employee Activity for Security Purposes and Assess When Unauthorized Access Occurs
- 8. Use Vulnerability Scanning Tools to Find Your Organization' s Weaknesses
- C. Detection Processes
- 1. Establish a Clear Delineation between Network and Security Detection, with the Networking Group and the Security Group Having Distinct and Different Responsibilities
- 2. Create a Formal Detection Oversight and Control Management Function
- Define Leadership for a Security Review, Operational Roles, and a Formal Organizational Plan
- Train Reviewers to Perform Their Duties Correctly and Implement the Review Process
- 3. Test Detection Processes Either Manually or in an Automated Fashion in Conformance with the Organization' s Risk Assessment
- 4. Inform Relevant Personnel Who Must Use Data or Network Security Information about What Is Happening and Otherwise Facilitate Organizational Communication
- 5. Document the Process for Event Detection to Improve the Organization' s Detection Systems
- Summary
- Chapter Quiz
- Essential Reading for Tools and Techniques for Detecting a Cyberattack
- CHAPTER 4 Developing a Continuity of Operations Plan
- Introduction
- A. One Size Does Not Fit All
- I. Response
- A. Develop an Executable Response Plan
- B. Understand the Importance of Communications in Incident Response
- C. Prepare for Corporate-Wide Involvement During Some Cybersecurity Attacks
- II. Analysis
- A. Examine Your Intrusion Detection System in Analyzing an Incident
- B. Understand the Impact of the Event
- C. Gather and Preserve Evidence
- D. Prioritize the Treatment of the Incident Consistent with Your Response Plan
- A. Restrict the Use of Certain Types of Media On Your Systems
- B. Wherever Possible, Limit Functionality to a Single Function Per Device (Least Functionality)
- C. Implement Mechanisms to Achieve Resilience on Shared Infrastructure
- Summary
- Chapter Quiz
- Essential Reading on Network Management
- CHAPTER 3 Tools and Techniques for Detecting Cyber Incidents
- Introduction
- What Is an Incident?
- I. Detect
- A. Anomalies and Events
- 1. Establish Baseline Data for Normal, Regular Traffic Activity and Standard Configuration for Network Devices
- 2. Monitor Systems with Intrusion Detection Systems and Establish a Way of Sending and Receiving Notifications of Detected Events
- Establish a Means of Verifying, Assessing, and Tracking the Source of Anomalies
- A Word about Antivirus Software
- 3. Deploy One or More Centralized Log File Monitors and Configure Logging Devices throughout the Organization to Send Data Back to the Centralized Log Monitor
- 4. Determine the Impact of Events Both Before and After they Occur
- 5. Develop a Threshold for How Many Times an Event Can Occur Before You Take Action
- B. Continuous Monitoring
- 1. Develop Strategies for Detecting Breaches as Soon as Possible, Emphasizing Continuous Surveillance of Systems through Network Monitoring
- 2. Ensure That Appropriate Access to the Physical Environment Is Monitored, Most Likely through Electronic Monitoring or Alarm Systems
- 3. Monitor Employee Behavior in Terms of Both Physical and Electronic Access to Detect Unauthorized Access
- 4. Develop a System for Ensuring That Software Is Free of Malicious Code through Software Code Inspection and Vulnerability Assessments
- 5. Monitor Mobile Code Applications (e.g., Java Applets) for Malicious Activity by Authenticating the Codes' Origins, Verifying their Integrity, and Limiting the Actions they Can Perform
- Answers to Chapter Quizzes
- E. Establish Processes for Handling Vulnerability Disclosures
- III. Mitigation
- A. Take Steps to Contain the Incident
- B. Decrease the Threat Level by Eliminating or Intercepting the Adversary as Soon as the Incident Occurs
- C. Mitigate Vulnerabilities or Designate Them as Accepted Risk
- IV. Recover
- A. Recovery Plan Is Executed During or After a Cybersecurity Incident
- B. Update Recovery Procedures Based on New Information as Recovery Gets Underway
- C. Develop Relationships with Media to Accurately Disseminate Information and Engage in Reputational Damage Limitation
- Summary
- Chapter Quiz
- Essential Reading for Developing a Continuity of Operations Plan
- CHAPTER 5 Supply Chain Risk Management
- Introduction
- I. NIST Special Publication 800-161
- II. Software Bill of Materials
- III. NIST Revised Framework Incorporates Major Supply Chain Category
- A. Identify, Establish, and Assess Cyber Supply Chain Risk Management Processes and Gain Stakeholder Agreement
- B. Identify, Prioritize, and Assess Suppliers and Third-Party Partners of Suppliers
- C. Develop Contracts with Suppliers and Third-Party Partners to Address Your Organization s Supply Chain Risk Management Goals
- D. Routinely Assess Suppliers and Third-Party Partners Using Audits, Test Results, and Other Forms of Evaluation
- E. Test to Make Sure Your Suppliers and Third-Party Providers Can Respond to and Recover from Service Disruption
- Summary
- Chapter Quiz
- Essential Reading for Supply Chain Risk Management
- CHAPTER 6 Manufacturing and Industrial Control Systems Security
- Essential Reading on Manufacturing and Industrial Control Security
- Appendix A: Helpful Advice for Small Organizations Seeking to Implement Some of the Book's Recommendations
- Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1