On December 17th, 2018 I held a teleconference to discuss the topic of the NIST Cybersecurity Framework with my partner Eric Burke Cybersecurity expert and consultant, Jeff Miller. The complete video is published on YouTube. Below, we are also providing a transcript of the entire call. This content is also available in the form of our cybersecurity and regulatory podcast for our cybersecurity consulting firm in NYC.
Daniel: Welcome everyone to another episode of our cybersecurity and regulatory compliance VLOG here in the Big Apple, New York City. I’m your host Dan Haurey, and I’m joined today by my partner, Eric Burke, VP of technology here at Exigent. Eric is also a founding member of our new cybersecurity spin-off, Partners in Regulatory Compliance. Hello Eric. How are you?
Eric: Hey, good afternoon. How are you?
Daniel: Good. Thank you. Also returning with us once again today for a third episode is our cyber security practice lead and consultant, Jeff Miller. Howdy, Jeff.
Jeff: Hey, Dan. Hey, Eric.
Daniel: Okay. So we’re gonna jump right in guys. Today we’re talking about something that really interests me and I know is a hot topic these days. We all need standards. We all need a place to begin, and we need a framework. So today we’re talking about the NIST cybersecurity framework. Jeff, let’s jump right in. What is the NIST cybersecurity framework?
Jeff: Sure, actually, maybe I’ll back it up and say, what is NIST? So the National Institute of Standards and Technology is part of the U.S Department of Commerce. It’s been around actually since 1901, so over a century of tenure. And NIST’s mission is to promote U.S innovation and industrial competitiveness. And cybersecurity is a way that we do that in 2018 and beyond. It used to be that they did a lot with advanced measurement and standards in that way. But now that the world is moving cyber, an increasing part of what NIST does is help the world at least in America with doing cybersecurity and doing it right.
The NIST cybersecurity framework is a pretty universally sort of de facto standard for doing cybersecurity in the United States. If you actually read through it, it’s only 59 pages. It’s available. If you just Google NIST cybersecurity framework. It’s not as complicated as people think. And it’s really universally applicable in nature, whether you’re a healthcare facility, a retail organization, not for profit, governmental agency, it is a considered the de facto standard for how to do cybersecurity. And so it has a bunch of different components in it. But it is fairly lean. And that is, again, only 59 pages. And the majority of that is just explaining how to use it.
Daniel: Gotcha. So, so what I’m hearing is, you know, you’re giving a framework here that not only is a great jumping off point, but it’s very well known, well published and accepted, so no one’s ever gonna get fired for saying, “Hey, I use the NIST security framework,” right?
Jeff: That’s exactly right. You know, you can’t go wrong. In fact, a lot of the other regulations out there are really just pointers to NIST where this is really the thing that you have to do. For example, the DFARS regulation applies to military contractors and subcontractors. In other words, anybody who’s performing any service or providing any goods to the Department of Defense, they’ve got to follow NIST’s standards. And so the DFARS regulation is really just a pointer to NIST itself. And as Dan, you and I were talking about before the podcast, the HIPAA Security Rule, for example, says you guys have to do a risk assessment. If you’re a hospital, if you’re touching healthcare data, do a risk assessment. What they don’t say is how. So the how is go follow NIST’s standards. So NIST has become that that thing that all other regulations are looking at, and all other…anybody who needs to do security really should be looking NIST as the first step.
And it came about because more and more in this day of cyber intrusions, back when President Obama was our president, they saw this as, “Look, we have to protect ourselves, our critical infrastructure and improve the cybersecurity.” If you think about the Internet of Things, right? We’ve all heard that buzzword, what does that mean? That means, you know, our nuclear plants, they’re connected to a network. Water facilities, they’re connected to a network. Think about traffic control devices that are connected to a network. And, you know, if I’m a foreign entity or an enemy trying to get at our country, they’re looking at getting into the critical infrastructure. So really, this came about to protect the critical infrastructure and then matured it into a framework that’s really applicable across the board, regardless of [inaudible 00:04:57].
Daniel: Gotcha. In terms of the goals of NIST, obviously, you know, the founders or the people that, you know, were the genesis of the cybersecurity framework that is NIST, what were the goals of the Cybersecurity Framework?
Jeff: Yeah, so really three simple goals. Number one, to manage cyber risk. And so everything has to do with getting a baseline of your risk first, and once you know what your risk is managing it, and ultimately trying to shrink as much as possible. So that’s number one. Find and reduce risk. Number two is to provide a common language. So without a framework that everybody knows and follows. It’s like English, you know, if you’re speaking Spanish and I’m speaking English, we’re gonna be missing some things, right? We’re gonna be crossing wires. So the Cybersecurity Framework lays out a set of common language that we can all use and we know what it means and stay on the same page while we’re having these discussions around cybersecurity.
Then lastly, it can be used to create, guide, assess or improve a cybersecurity program. So a company that may be starting from scratch, first [inaudible 00:06:11] into cybersecurity. If I was to be hired as a seesaw in a new company, and on day one, they say, you know, go and do your job. The first thing I’m gonna do is say, “We’re gonna do an assessment on this entire organization based on the NIST framework,” and where the gaps are that’s where I’m gonna start budgeting in future fiscal years for technology and for training for people and written policy. That’s what I need to budget off of. So again, three things, managing cyber risk, providing that common language to discuss cyber risks, and then helping companies create comprehensive cybersecurity programs.
Eric: On a point you just brought up, you know, a lot of people feel like they have to go kind of from zero to 100 when they attack a compliance issue like this. Can you talk a little bit to how that’s either true or not true in trying to tackle some of these issues that folks are coming up against?
Jeff: Yeah, that’s a good point, Eric. And it’s, you know, you don’t go from zero to 100, right? You have to get to two miles an hour, three miles an hour, and so on, right. And so to do that, you have to focus on…and I like this as an overlay to this, which is, you guys have probably heard of the CIS top 20 critical controls. So really those are really good way of prioritizing once you know what your gaps are. You probably don’t have the time, the budget or the manpower to do everything all at once that month, let’s say, after doing an assessment. So what I tell people to do is find out what your gaps are and then to prioritize them, know that it’s gonna take time, know that that’s gonna take budget, get the buy-in ahead of time.
But in terms of prioritizing the things that need to get done, follow the CIS top 20 critical controls. So if you look at that, the top 20 critical controls, the first two controls are, know what you have, know what hardware is out there, you know, what workstation, servers, routers, switches, and so on. And then what is running on it. So what software is on there. So knowing what you have, then you can know what to protect. If you don’t know what you have and that’s not cataloged and you really don’t know what assets are in the organization to protect, there’s no way you can protect it, right? You gotta know what you have first.
And then another point to your question, Eric, is just recently in August of 2018, the federal government gave NIST a new mandate, which is take the NIST cybersecurity framework and custom fit it for small and medium businesses. Knowing that people have that same, you know, scary concern about having to go from zero to 100. And 59 pages isn’t a lot of pages, but if you’ve never done security, it’s 59 more pages than you’re used to. So the NIST Cyber Security Framework is gonna be retooled for SMB, and I expect that probably in 2019 or 2020 to come out. And that won’t necessarily replace NIST but it will give a lot of more smaller companies an easier way of getting started in cybersecurity.
Daniel: That’s awesome. Jeff, so we did have a question come in when we found out we were doing this. So the question is, while we’re talking about framework, right, how is the NIST cybersecurity framework from NIST SP 800-53?
Jeff: Right. So 800-53 came out after the Federal Information Security Management Act or otherwise known as FISMA, was issued in 2002. So it is the sort of grandfather. The SP100-53 is the older of the two frameworks. Again, the coming out in 2002. And SP100-53, if you look at it in its current revision is about 500 pages long. And a lot of the extra, you know, depth and sort of meat to the 800-53 is that it catalogs controls, whereas NIST cybersecurity framework doesn’t catalog controls. So what do I mean by controls?
So for example, you know, you need to do encryption, okay, that’s an easy thing to say. But how do I do encryption? 800-53 will talk about the various different ways of doing encryption and the controls that you can put in place, whereas the Cybersecurity Framework just says do encryption. And you either have somebody smart telling you what that means and how to do that or you look at the Cybersecurity Framework and instead of including all those controls, it merely references controls to other more comprehensive frameworks such as 800-53, ISO, CIS that I mentioned earlier in COBIT.
So the CSF or the Cybersecurity Framework is apparently meant to be more generic on purpose, and not contain all the controls, the catalog of controls that the other, you know, ISO and 800-53 include. And again, both the Cybersecurity Framework and 800-53 do have applicability beyond the original intended purpose for Federal Information System. So they really are both applicable to any vertical. I would say for small and medium business, start with the Cybersecurity Framework. Anybody who’s doing anything within the federal government or contracting for the federal government, you’re gonna wanna go ahead and do 800-53, even though it is the lengthier of the two frameworks.
Daniel: So far what I’m getting is if you’re just starting out, if you’re, brand new, in a position and you’re in charge of IT security, if you’re a new CISO arriving on the job, you’re probably going to be looking at NIST, and that’s where you’re gonna start to assess where your gaps are.
Jeff: Right. The only other time that a company may go, let’s say to the ISO 27001 stack, let’s call it, is if they have international business. So the thing about the NIST cybersecurity framework, there’s no seal of compliance, you know, nobody’s gonna…no auditor can come in and give you a rubber stamp to say 100%, you’re doing everything you need to be under the cybersecurity framework, which is fine. It was never intended to have a rubber stamp associated with it. But the ISO 27001 cybersecurity framework is sort of more globally recognized if you have, let’s say, operations, you’re headquartered in the United States, then you have a manufacturing facility in China and you’ve got some administrative offices in Spain and so on. If you’re more of a global company they tend to go more towards the ISO stack. But by and large, the companies that we work with and the organizations that we deal with are in the United States. So the Cybersecurity Framework is…you don’t have to go to ISO.
Eric: Quick question, a lot of folks out there having multiple compliance requirements. Is there a good one to start with, is there something that covers a broader base, maybe another one that would help them jumpstart, maybe getting several compliance regulations or catching up on [inaudible 00:13:34] compliance at the same time?
Jeff: Yeah, again, the Cybersecurity Framework really is the most high-level broad in scope. So think about an example of what Eric is talking about. You’ve got a hospital. You walk into the hospital, you give them all your social, your name, your address, they’re drawing your blood, there’s medical records. That all gets stored into an EMR system. They’ve got that data to protect under the HIPAA Security Rule. And then you got to pay them, right, these doctors aren’t working for free. At some point you have to swipe a credit card into a point of sale system. Or maybe there’s an online portal where you can pay for your patient visit. So now you’re dealing with both HIPAA and PCI and your organization has two different sets of standards that you have to follow.
The fact is that the majority of both overlap. And so because of that very high percentage of overlaps with all these frameworks, if a company like that hasn’t done anything before, in terms of security, we tell them to follow NIST by default. And then a small percentage of things that don’t fall into that umbrella of NIST that may be unique to the HIPAA Security Rule or may be unique to PCI, you can handle those. But if you’re doing the Cybersecurity Framework, you’re gonna be covering 80% of both of those different needs.
Daniel: Gotcha. Awesome. The NIST cybersecurity framework has five pillars. What are those pillars and what’s covered under those pillars?
Jeff: So that’s an easy question to ask. A little bit more of a lengthy…I’ll try to keep it short here. But you ask big questions, Dan, that’s why I like it. So the five pillars of NIST are identify, protect, detect, respond and recover. And the goal again, going back to earlier in the discussion is to provide a high-level strategic view of how to manage cybersecurity risk. And it just so happened that when all the government entities and private entities and thousands of people involved in creating the Cybersecurity Framework came together, they all sort of agreed on a consensus of these five pillars. Again, going back to it, it’s identified, protect, detect, respond, and recover. So when you think about identify, what are you identifying? You’re identify what assets you have. Again, that’s the CIS top 20 critical controls tell you…know what you have before you can protect it. It also helps…a big component, in fact, I think the most important thing to start off with is the business context, right?
It’s one thing to think about your hardware and your software and the technology and really get off track and think of cybersecurity as just an IT problem. But outside of the business context, you’re not gonna do well. If you don’t know the importance of risk mitigation or the risk appetite, they call it of the business, you’re not gonna be doing cybersecurity in a way that’s cost-effective, or in a way that’s aligning with business goals. So you’re getting that business context. Defining roles and responsibilities, a lot of times, I hear people say, cybersecurity takes a village. And so it’s not just that you have the CISO or the CEO saying, you know, “Do these things,” and then everybody has to figure out what it is. There has to be buy-in from the C suite, from the president, the owner, that level. There has to be buy-in from your security guys, whether their internal or outsourced, then you have the guys implementing it, and they have to understand their role and responsibility in terms of implementing new technologies or procedures within the organization.
And then another thing to identify is the vulnerabilities, threats, and risks. So, you know, think about a company in New York City, for example, right? They’re not dealing with tornadoes. New York City, that’s not a thing that happens. But if you go to the Midwest, they’re dealing with tornadoes. So each business has to identify the unique risks that would face their business, and it does require a separate risk assessment to do that. So SP 800-30 is NIST’s sort of playbook for how to do a risk assessment, identify what the threats are to your unique organization. So identifying your assets, the business, context, roles and responsibilities, and I’m getting a firm understanding of what risks face your business. That’s the first leg you need to stand on before you can protect anything. Any questions on the identify pillar guys? Anything you wanna add on that?
Eric: I think it’s interesting that you bring up emergency kind of operational topics when you talk about that. You hear the word cybersecurity and we tend to think security and cyber, nothing else. But it sounds like there’s a lot of other things that really tangentially touch on that, that are not really technology related. Is that accurate?
Jeff: Absolutely. When you think about what is cybersecurity, a lot of folks will talk about what they call the CIA triad. And that just simply means the confidentiality, integrity, and availability of data. And so you have to have contingencies in place. I’ve mentioned Hurricane Sandy earlier. If you’re located in New York City, and you’re getting hammered, you got water in your data center, well, your employees, first of all, you’ve got to make sure they’re safe, right? Cybersecurity is useless if your employees are not safe. You got to find an alternative way of them getting work done, whether that means that you have an alternate location, maybe you have information you can spin up in the clouds and standby systems that are cloud-based, and sort of point people to the cloud and they can work from home. But yeah, it’s not just the data itself, but the infrastructure, the availability of that data relies on things like redundancy and things like having disaster plans mapped out to keep your people and your data safe.
Daniel: Eric, I recall, you were recently working with a client where, you know, you were focusing in on that availability, right? You have a client that is a nonprofit that sees patients and holds private health information. And one of the things that Eric was I recall you mentioning was the availability of data, right? So if the disaster happens, how soon can we get access to that information again so that we can do our jobs or make that available? Isn’t that right, Eric?
Eric: Yeah, I think, you know, what’s important to remember there, too, is how that can vary from customer to customer, environment to environment in that, and I think HIPAA state something along the lines of you need to be able to return those systems to availability in such a way that it doesn’t impact your ability to provide care in a way that you otherwise would. So the needs of somebody like this not for profit, which happened to be a recovery center, may not be as impactful. You may not have the life or death scenarios that you might have in a hospital system or an emergency room if those systems are unavailable. So you have to kind of tailor the way you proceduralize your response based on those particular needs. There’s a lot of variability there. But that was pretty interesting to see kind of one end of the spectrum.
Daniel: Yeah, for sure. So we’re fortunate to have NIST because it gives us a roadmap, it gives us guidelines, and it gives us something that is generally accepted. I go back to, you know, if push comes to shove, and you’re able to show that your organization made a very diligent and effective effort at following and implementing, you know, the NIST framework, you’re gonna be on a lot better footing than if you kind of just came up with your own ad hoc plan and kind of winged it across the room. Now, that given, somebody says, okay, obviously NIST is well accepted, we’re gonna implement those standards, we’re gonna follow NIST. What kind of mistakes, Jeff, if any, can they make in trying to implement NIST cybersecurity standards? I mean, I imagine it’s not foolproof.
Jeff: No, it’s not. I’ll backtrack a little bit, we went over the identify, you know, pillar. The other pillars are protect, detect, respond, and recover. So really the identify is find out what assets you have to protect, and then what risks face them, and then the other four pillars are all about protecting them. And if there is some kind of a threat that’s going on, being able to detect it, respond to it, and get back up and running. So those are the other pillars. I think the big mistake that people make is management gets told that they have to do cybersecurity because of some audit or some third-party company that they’re working with simply won’t continue to work with them if they’re not showing their due diligence.
And then they, unfortunately, tend to involve unqualified individuals. They might pass off, “Hey, here’s a spreadsheet and it’s based on this and these are all the things that this third party company needs us to do to maintain this business relationship,” and they’ll hand it off to somebody in administration, who simply has no idea of anything about cybersecurity and is just kind of making things up. And it’s not for them doing anything malicious, they just don’t really know how to answer things and they’re not qualified.
Another thing I see is people mistaking the NIST cybersecurity framework for a risk assessment, they are two different things. So in fact, the NIST cybersecurity framework in the identify that first pillar says do a risk assessment. And they’re not the same thing. Really, if you look at what your company is doing to versus the NIST cybersecurity framework, that’s more of a gap analysis, it’s important to do. But also doing a risk assessment is important, you really need to do both things. They have different end goals. So that’s a mistake I see. I see people say, “I’m in the cloud. I had an IT company come in and they moved us to 365. And our file storage is in the cloud. So I’m secure because I’m in the cloud.”
And that’s simply not true. The fact is, there’s a lot of things that need to get turned on that are maybe features that are available. But if they’re not configured and turned on, they’re not protecting you. For example, we all know about phishing, right? It’s the number one way that hackers are in the last 10 years of the Verizon data breach investigation report, that’s the way people are getting in, that’s the tip of the spear. So great, you’re in Office 365. But if you don’t have multi-factor authentication enabled, you’re at very high risk of account takeover.
So just saying that you’re in the cloud and turning a blind eye to actually
configuring things to align with the five tenets of NIST, you’re doing yourself a disservice. And then lastly, I would say just a lack of buy-in from management and identified roles. Throwing it at one person and making it their sole job. If you have a CISO or a fractional CISO, maybe you’re outsourcing that role, that person can be the puppeteer here and tie everything together. But getting it to somebody who is…it’s like a second hat that they have to wear and there’s many other things that they have to do, that’s a terrible idea. And they’re gonna, frankly, be fragmented and not able to do the best job for your company. And so what’s at risk, not doing a good job with implementing NIST standards means your reputation, your revenue, your employee satisfaction, all these things are at risk. And again, like you said, availability as well.
Daniel: Yeah, we definitely see…definitely problems where someone hands someone something and, you know, kind of just abdicates responsibility. I’ve seen stories where the managing partner at a law firm, you know, maybe tells one of his secretaries that you’re responsible for maybe removing the backup tapes, our weekly backup from the office and that’s your job. Okay, fair enough. That person who is not an IT professional doesn’t know anything about storing data on removable media. He or she just knows that it’s my job to take these and take them home with me, only to find out later on that these VLT tapes are being stored in the trunk of a car, which probably gets to be what about 150 degrees in the summer, all summer long and are in bad shape when you need them. So I totally get the point where you can’t just take something like this and hand it to someone and say, do this. I think what I’m hearing is let the professionals do this for you.
Jeff: Absolutely. Couldn’t have made the point better Dan.
Daniel: Yeah, yeah.
Eric: How do you account for businesses that have relationships with other companies that ultimately they hold compliance responsibility for? How does that play out?
Jeff: So a big part of NIST is managing third parties. You have to do due diligence with anybody who’s touching your data, whether they’re storing or processing it, and it goes beyond IT, it could be a janitorial staff who has access into a building. You’ve got to think about them as a third party. You have to think about these cloud vendors as third parties. Outsourced IT companies, these are third parties. I talked to one company and for privacy purposes, I can’t say who it was, but a company that does furniture for a majority of the East Coast, the gentleman in charge of their security did an audit of, well, who am I dealing with, who are my third parties and come to find out there was over 220 third parties that had at least tangential access to data or physical access to systems.
So if you don’t have a methodology for handling third parties and holding them accountable, then you can do all you wanna do to protect yourself, you’re gonna be barely more secure than you were after all that time and effort protecting yourself. So I think the banking industry does a really good job talking about how to handle third parties. I would say of all the industries that we work with the financial services industry tends to be more mature. So for anybody wondering, “Well, how do I hold their third parties accountable?” Really look at what the banking industry is doing. And we can provide, you know, links to that on the website. But they’ve got it really figured out.
It’s really about having a good risk management program for your third parties, not just a five-page written document. It’s really got to be intentional, and you have to have methods of checking them. There has to be some kind of regular reporting, some kind of KPIs or way of measuring that they’re doing what they’re supposed to do. Even so much as doing a site visit or doing background checks of third parties.
Eric: Excellent. That makes a lot of sense. Thank you.
Daniel: All right guys. So that’s about all the time we have for today. I wanna thank you, Jeff, and you Eric for taking the time and joining us, and we’ll see you next time. Thanks again.
Jeff: Thanks, guys.