Week 04 - Security Awareness and Training

TL:DR - Learning is a continuum that requires understanding what you are trying to accomplish that is combined with soft skills for delivery to change the culture.

The National Institute of Standards and Technology developed a document on how to create a Security Awareness Program that fairly ok.

Employees require additional training to increase their awareness, knowledge, skills, and abilities in security. They are the last defense against intentional or unintentional actions that may cause harm; whether it be a physical item, information on paper or digital, actions of destruction, or compromise. Success of a security program is based on employees understanding the importance of their role in protecting the organization’s assets and their own personal lives and how they fit into the overall picture and change their behavior and organization’s culture.

Learning is a continuum; it starts with awareness, builds to training, and evolves into education. The following definitions explains the difference in the continuum:

• Awareness: The purpose of awareness is to focus attention on security o allow individuals to recognize security concerns and respond accordingly.
• Training: The purpose of training is to produce relevant and needed security skills and competencies by practitioners of functional specialties other than security (e.g., management, systems design and development, acquisition, auditing) that seeks to teach skills).
• Education: Integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce security specialists and professionals capable of vision and proactive response.

Training is provided in many forms as determined by the content, target audience, and maximizing effectiveness. The following methods may be employed: required reading, computer-based, web-based, off-site professional training, classroom, testing like phishing campaigns, posters, or infographics. This training has a level of force and complexity applied depending upon the target audience such as a general employee/user receives basic awareness and or training at a specified interval; however, some critical roles will receive additional training in other methods such as security professionals, management, or technical administrators that is tailored to their functions.

Most training forces on the general employee/user. The employee/user is the largest audience of an organization and considered the weakest link to security because they are capable of bypassing safeguards. However, they are capable of being the greatest defender of the system. An awareness and training program is the vehicle for communicating security requirements to the user population. The content explains:

• Proper rules of behavior of the subject like use of systems and information
• Specifies policies and procedures that need to be followed
• Stating sanctions imposed due to noncompliance
• Advising the expectations from a user

Changing the behavior is key; however, less than 15 percent of security professionals have a background in soft skills such as training, marketing, or communications. Lance Spitzner the “Three C's of Security Awareness” for success of the program: communication, collaboration, and culture. This is accomplished through clearly explaining why they should care, work on how to communicate what we need them to do in simple terms, and validate that people are exhibiting those behaviors. A picture is worth a thousand words, the following are two awareness examples.

Figure 1: Poster

Figure 2: Infographic

Week 03 - Demystify First Two Steps of the RMF

TL:DR - Determining the baseline controls to be implemented for the system is half the battle, G.I. Joe.

An explanation of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) was published on June 10, 2019. This is a follow-up to that post by explaining the processes regarding the first two steps of the RMF and how it would be used by an organization. In epic fashion, the United States (U.S.) federal government, NIST, did not create a single document for these steps (Categorization and Select Controls) for simple understanding, but created an absorbent amount of documents to secure information systems. These documents are interconnected and just one document does not be explained for holistic understanding. The following documents are referenced:

• FIPS-199, Standards for Security Categorization of Federal Information and Information Systems
• FIPS-200, Minimum Security Requirements for Federal Information and Information Systems
• NIST SP 800-53, Security and Privacy Controls for Systems and Organizations
• NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories

FIPS-199, Standards for Security Categorization of Federal Information and Information Systems, requires that federal government agencies categorize information and information systems. NIST Special Publication (SP), 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume I & II, is the guideline for establishing the categorization and provides the various information types, descriptions, and suggested information ranking for confidentiality, integrity, and availability.

In order to categorize a system, the Mission-Based Information Types and Delivery Mechanisms (NIST SP 800-60, Table 4), Services Delivery Support Functions and Information Types (NIST SP 800-60, Table 5), and Government Resource Management Functions and Information Types (NIST SP 800-60, Table 6) are used to determine which information types exist or supported by the system. These tables are included for reference:

In addition, the following are considerations for when categorizing.

• Business and mission areas 
• Indicating whether the information is time-critical in rationales for assigning availability impact levels 
• Rationales for assigning information to the General Information Type 
• Results of reviewing the identified security categorizations for the aggregate of information types 
• Effects of various factors and circumstances (e.g., data aggregation, critical system functionality, privacy, trade secrets, critical infrastructure, aggregation, critical system functionality, extenuating circumstances) on the system category 

The results of the analysis are to document as an example in the table shown below. For each information type, an example of an explanation is provided to justify selection of that type. These information types are listed in Step 1 of the table. Step 2 of the table identifies the provisional confidentiality, integrity, and availability categorization of each information type, while Step 3 identifies any adjustments to it. Finally, Step 4 identifies the overall categorization of the system using the “high water mark” from the collection of information types selected from NIST 800-60 as noted above.

At this point, the system reviewed has been categorized. Then FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, requires that the minimum security requirements (a.k.a. “Security Controls”) are applied to the system based on its categorization of the system which is located in NIST SP 800-53, Security and Privacy Controls for Systems and Organizations. 

Example of controls to be applied based on its categorization:

Security controls are physical, technical, and or administrative safeguards or countermeasures to avoid, counteract, or minimize loss/unavailability due to threats that cause risk. Administrative controls are actions taken by people as directed by policy and procedures. Technical controls are carried out or managed by automated systems. These controls are categorized as preventive, detective, corrective, and compensatory (SANS). It is important to note that NIST SP 800-53 states what the controls are, but allows the organization to define parameters within the control and how to implement them.

These four documents are basic building blocks for protecting systems owned by the U.S. federal government. There are other documents that are connected like creation of the System Security Plan (document dhow the controls are implement) and creation of risk assessment documents (detailing and explaining risk to the confidentiality, availability, and ingenuity of the system and or data based on how the controls are implemented). Even though controls can be required, it doesn’t mean that they are effective. How the controls are implemented and managed are more important in meeting the intent. Furthermore, each systems is different and where one method and or tool works for another system may not be the right solution for another. The federal government is moving away from compliance based assessment of controls to effectiveness of the control and capabilities deployed. This model has been dubbed The Cybersecurity Framework.

Week 02 - National Institute of Standards and Technology Risk Management Framework

TL:DR - The goal is not to bring risk to zero, but to an acceptable level of risk the organization is willing to tolerate.

Introduction

The United States Congress passed Public Law 107 - 347 Titled E-Government Act of 2002. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

SEC. 303. National Institute of Standards and Technology (NIST) is charged with the institute mission of developing standards, guidelines, and associated methods and techniques for information systems based on an integrated Risk Management Framework (RMF).

Publications in NIST’s Special Publication (SP) 800 series present information of interest for computer security and privacy needs. The publications cover virtually every aspect of computer security. These documents recommend procedures and criteria for assessing and documenting threats, vulnerabilities, and implementing security measures to minimize the risk.

The foundation is based on the NIST SP 800-37, Risk Management Framework For Information Systems and Organizations. The NIST RMF “emphasizes risk management by promoting the development of security capabilities throughout the system development life cycle (SDLC); maintaining situational awareness of the security posture of those systems on an ongoing basis by means of continuous monitoring processes. Furthermore, providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations from the use and operation of their systems.”

However, it is SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, that provides a structured approach for managing risk through assessing, responding to, and monitoring. The document includes the components of risk management; life cycle-based process; and additional information such as process tasks, governance models, strategies, etc. This approach is to be applied throughout the entire organization: organization level, mission/business process level, and system level.

The risk management cycle is an iterative and continuous process, constantly informed by the changing risk landscape, organizational priorities, and functional changes. It is carried out as a holistic activity from the strategic to the tactical level. The risk management cycle provides four elements that structure an organization’s approach to risk management, as represented in Figure 1:

Figure 1: Risk Management Framework Lifecycle

Frame

The first component of risk management addresses how organizations frame risk by describing the environment in which risk-based decisions are made. The risk frame delineates the boundaries for risk-based decisions within organizations. These boundaries are based on:

• Assumptions (e.g., threats, vulnerabilities, consequences/impact, and likelihood of occurrence)
• Constraints (e.g., imposed by legislation, regulation, resource constraints (time, money, and people) and other factors identified by the organization)
• Tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are acceptable)
• Priorities and trade-offs (e.g., the relative importance of missions/business functions, trade-offs among different types of risk that organizations face, time frames in which organizations must address risk, and any factors of uncertainty that organizations consider in risk responses)

which that affect how risk is assessed, responded to, and monitored.

Assess

The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. Assessment is the process of identifying, estimating, and prioritizing risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. It should identify:

• Threats
• Vulnerabilities
• Consequences (Impact) 
• Likelihood

The assessment approach is usually quantitative, qualitative, or semi-qualitative; however, this document utilized the qualitative method. In qualitative risk assessment, the focus is on perceptions about the probability of a risk occurring and its impact on relevant organizational aspects which represented in scales such as “low, medium, or high”

Respond

The third component of risk management is about addressing how organizations respond to risk once that risk is determined based on the results of risk assessments (controls). “The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by: developing alternative courses of action for responding to risk; evaluating the alternative courses of action; determining appropriate courses of action consistent with organizational risk tolerance; and implementing risk responses based on selected courses of action.” There are five basic strategies:

• Defense: Applying safeguards that eliminate or reduce the remaining uncontrolled risk. 
• Transferal: Shifting risks to other areas or outside. 
• Mitigation: Reducing the impact to information assets should an attacker successfully export a vulnerability. 
• Acceptance: Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control. 
• Termination: Removing or discontinuing the information asset from the organization. 


Acceptance is the decision to do nothing to protect the asset from the risk and accept the outcome from any resulting exploitation. This strategy assumes that it can be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the expenditure. This strategy is recognized valid only when:

• Determined the level of risk,
• Assessed the probability of attack and likelihood of exploitation,
• Estimated the potential damage,
• Evaluated the feasibility of potential controls,
• Performed a cost-benefit analysis, and
• Determined that the costs to control do not justify the costs to implement and 
maintain.

Monitor

The fourth and last component is to provide organizations with the means to verify compliance, evaluate effectiveness of response controls, and identify changes as an iterative feedback loop for continuous improvement in the risk-related activities of organizations. This is truly the test and audit phase of output to increase risk awareness in developing understanding of the ongoing risk. This is accomplished through tools, techniques, policy and procedure, and organizational programs.

• Assessment program that evaluates the gathering information about different aspects of the environment and practice as observed to determine the adequacy of response controls for managing identified risks.
• Conduct risk assessments based on this framework document at a defined frequency and or certain criteria defined in a procedure require it. 
• Develop metrics that are quantifiable to gauge performance or progress about how processes are functioning and provide bases for suggestion of improvements.
• Defense and mitigating responses have a reporting function either manual or automated to include change management.
• Institute security testing; however, this activity should be used with extreme caution.

Implementation at System Level

Execution of the framework within an environment is visually depicted and described below.

Core NIST Documents:

Note: Federal Information Processing Standards Publication (FIPS) Publication (PUB)

• FIPS-199, Standards for Security Categorization of Federal Information and Information Systems
• FIPS-200, Minimum Security Requirements for Federal Information and Information Systems
• NIST SP 800-18, Guide for Developing Security Plans for Systems
• NIST SP 800-30, Guide for Conducting Risk Assessments
• NIST SP 800-53, Security and Privacy Controls for Systems and Organizations
• NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories

Figure 2: System Certification & Accreditation

• Categorize: Categorize the system and the information processed, stored, and transmitted by that system based on an impact analysis.
• Select: Selecting an initial set of baseline security controls based on the categorization as well as tailoring and supplementing the security control baseline as needed.
• Implement: Implementing security controls and describing how the controls are employed within the system and its environment of operation.
• Assess: Assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
• Authorize: Management authorizes a system to operate or continue to operate based on the results of a complete and thorough security control assessment.
• Monitor: Continuously monitor the security controls to ensure that they are effective over time as changes occur in the system and the environment in which the system operates.

Conclusion

Systems are subject to threats that can have adverse effects on an organization’s operation, assets, individuals, and other entities through the exploitation of vulnerabilities that compromise confidentiality, integrity, and availability. Every decision is based on risk. The goal is not to bring risk to zero, but to an acceptable level of risk the organization is willing to tolerate. The statement is made because an organization doesn’t have unlimited resources and a perfectly secure systems is one that has no data with the power cord removed from the wall, thus non-functional.

CYBR650 - Trends Blog Start