NIST Cybersecurity Fundamentals PDF
Document Details
Uploaded by SalutaryCalcite5858
Nowrosjee Wadia College
Tags
Summary
This document provides an overview of cybersecurity fundamentals, discussing various aspects like threats, objectives, and potential solutions. Includes important topics like risk management, cybersecurity frameworks, and small business resources.
Full Transcript
Cybersecurity the fundamentals Source: Raconteur: http://www.visualcapitalist.com/hackers-hack-motives-behind-cybe rattacks/ Cybersecurity basics What You’ll Risk management...
Cybersecurity the fundamentals Source: Raconteur: http://www.visualcapitalist.com/hackers-hack-motives-behind-cybe rattacks/ Cybersecurity basics What You’ll Risk management Cybersecurity Framework Learn Small business cybersecurity resources More Information Throughout this presentation, keep an eye out for these boxes which will direct you to publications containing definitions, examples and more related to the topic on the slide. Cybersecurity Basics Cybersecurity: protecting electronic devices and associated data and information Complexity – Potential Threat Landscape Email Mobile devices Corporate website Social media Ecommerce systems Online banking BYOD and office policy Network management Backup and remote access Cybersecurity Objectives More NIST Special i al i ty Publication e nt 800-12, o n fid revision 1 c inte An grit Introduction y to Information il i t y Security i lab section 1.4 ava Example: Confidentiality Criminal steals customers’ usernames, passwords, or credit card information a l i t y i d e nti f Protecting con information from unauthorized access and disclosure Integrity Protecting information from inte unauthorized grit y modification Example: Someone alters payroll information or a proposed product design Example: Availability Your customers are unable to access your online services Preventing disruption in how information is ilit y ila b accessed ava Impact of a threat Why put your already limited resources into preparing for and protecting against cybersecurity attacks? Vulnerability Business Costs Reputation Attackers can Attacks can be Customers and see small extremely costly and employees expect businesses as threaten the viability and trust you to easy targets of your business keep their information secure Cybersecurity Threats Phishing Attacks Ransomware Hacking Imposter Scams Environmental events More NIST Interagency Report 7621, revision 1 | Small Business Information Security: The Fundamentals, section 2.1 Phishing Attacks Example: An email about a delayed Social engineering attack shipment causes you to involving trickery click a link and download Designed to gain access to malware to your network. systems or steal data Targeted phishing is “spear phishing” Variants include “vishing” – attacks by telephone and “smishing” those using SMS or text Ransomware Example: WannaCry was one of the Type of software with most devastating ransomware malicious intent and a threat to attacks in history, affecting harm your data several hundred thousand The author or distributor machines and crippling banks, requires a ransom to undo the law enforcement agencies, and damage other infrastructure. No guarantee the ransom payment will work Ransom often needs to be paid in cryptocurrency Hacking Example: Newspaper kiosk’s Unauthorized access to point-of-sale system was systems and information hacked; malware installed. Website attack such as DDOS Every customer’s credit Access denied to authorized card information was sent users to criminals. Stolen funds or intellectual property Imposter Scams Example: IRS scams – You receive a Someone “official” calls or phone call claiming to be emails to report a crisis the IRS, reporting you owe situation money and need to pay or They represent the IRS, a bank, else get hit with a fine. the lottery or technical support There will be a sense of urgency and a dire penalty or loss if you don’t act Environmental Threats Example: Ellicott City flooding wiped Natural threats such as fire, out businesses and their earthquake, flood can cause computers harm to computers or disrupt business access Recovery efforts attract scams such as financial fraud Downtime can lose customers, clients who can’t wait Elements of Risk What are the threats? What are the vulnerabilities? What is the likelihood of a threat exploiting a vulnerability? What would be the impact of this to your business? More NIST Special Publication 800-30, revision 1 Guide for Conducting Risk Assessments, section 2.3.1 What are you protecting? To practice cybersecurity risk management, you can start with these steps: 1. Identify your business’ assets 2. Identify the value of these assets 3. Document the impact to your business of loss or damage to the assets 4. Identify likelihood of loss or harm 5. Prioritize your mitigation activities accordingly More NIST Interagency Report 7621, revision 1 Small Business Information Security: The Fundamentals, section 2.2 1. Identify Your Business Assets List the types of information, processes, important people and technology your business relies upon Customer info Key employees Also consider critical business Banking info Manufacturing Process processes like sales and budgeting. Proprietary technology 1. Identify Your Business Assets on the Worksheet (cont.) In column 1 of the worksheet, list the assets (e.g., information, people, processes, or technology) that are most important to your business Add more rows, if needed 2. Identify the Value of the Assets What would happen to my business if Go through this asset was made public? each asset type What would happen to my business if you identified this asset was damaged or inaccurate? and ask these What would happen to my business if questions: I/my customers couldn’t access this asset? 2. Identify the Asset Values on the Worksheet (cont.) Pick an asset value scale that works for you (e.g., low, medium, high or a numerical range like 1-5) 3. Document the Impact to your Business of Loss/Damage to the Assets Consider the impact to your business if each asset were lost, damaged, or reduced in value (e.g., intellectual property revealed to competitors) This impact may differ from the asset value determined in step 2. 3. Document the Impact to your Business of Loss/Damage to the Assets (cont.) Pick an impact value scale that works for you (e.g., low, medium, high) Consider if any business processes have manual backup methods 4. Identify likelihood of loss or damage to the asset List the threats to each business asset Evaluate the likelihood that the asset may be lost or damaged by the threat(s) More NIST Special Publication 800-30, revision 1 Guide for Conducting Risk Assessments, Appendix G, Likelihood of Occurrence 4. Identify likelihood of loss or damage to the asset (cont.) 5. Identify Priorities and Potential Solutions Compare your impact and likelihood scores. Assets with high Sample Priority impact and/or likelihood scores Structure should be assigned top priorities. High: Implement Identify your priorities. immediate resolution. Medium: Schedule a Identify potential solutions. resolution. Develop a plan, including funding, to Low: Schedule a implement the solutions. resolution. 5. Prioritize Assets - Risk Matrix 5. Prioritize Asset Protection NIST Cybersecurity Framework (“Framework for Improving Critical Infrastructure Cybersecurity ”) Provides a continuous For organizations of any size, in any sector, whether Has proven useful to a process for they have a cyber risk variety of audiences cybersecurity risk management program management already or not More Framework for Improving Critical Infrastructure Cybersecurity version 1.1 Cybersecurity Framework Functions Credit: N. Hanacek/NIST Identify Develop organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Sample Identify Activities Identify critical business processes Business Asset Document Information flows Environment Management [ID.AM] Establish policies for cybersecurity [ID.BE] that includes roles and responsibilities Maintain hardware and software inventory Risk Identify contracts with external Governance partners Assessment [ID.GV] [ID.RA] Identify Risk Management processes Protect Develop and implement the appropriate safeguards to ensure delivery of services. Sample Protect Activities Information Manage access to assets and Protection information Maintenance Processes and [PR.MA] Procedures Conduct regular backups Awareness [PR.IP] and Training Protect sensitive data Identity [PR.AT] Patch operating systems and Management Data and Access Security applications Control [PR.IP] [PR.DS] Create response and recovery Protective Technology plans [PR.PT] Protect your network Train your employees Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Sample Detect Activities Anomalies and Events Install and update anti-virus and other [DE.AE] malware detection software Know what are expected data flows for your business Continuous Monitoring Maintain and monitor logs [DE.CM] Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Sample Respond Activities Response Coordinate with internal and Planning external stakeholders [RS.RP] Ensure response plans are tested Ensure response plans are Communications [RS.CO] updated Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Sample Recover Activities Recovery Manage public relations and company Planning reputation [RC.RP] Communicate with internal and external stakeholders Ensure recovery plans are updated Communications [RC.CO] Consider cyber insurance
