Cyber Security Frameworks

by Bill (a.k.a., fsu_tkd90)

The last article I submitted to 2600 was printed in 27:3 (Autumn 2010).  Back then I wrote about my biggest problem at work: spam.  Now I am writing about a dizzying problem for all corporations: all of the cyber security frameworks a company could be subject to.

Let's start by defining what cyber security is.

Cyber security is not to be confused with information security.  Information security is intended to protect data from any form of threat regardless of being analog or digital.  Cyber security is meant to protect attacks in cyberspace such as data, storage sources, or devices.  Cyber security usually deals with cyber crimes, cyber frauds, and law enforcement.  A cyber security framework is, essentially, a system of standards, guidelines, and best practices to manage risks that arise in the digital world.  They typically match security objectives of corporations.

It's important to understand why the cyber security frameworks are so important.

Cyber attacks are now coming from nation-states as a part of war.  Iran nation-state attackers typically use remote exploitation, password spray, and phishing "man-in-the-middle" attacks.  Russian state-sponsored Advanced Persistent Threat (APT) actors have used tactics including spear-phishing, brute-force, and exploiting known vulnerabilities against accounts and networks with weak security.  Chinese state hackers are using open-source information and common exploits.

Some of the largest attacks in the USA were the Colonial Pipeline, Brenntag (a chemical distribution company), Acer, JBS Foods, Quanta (Apple's business partner), and the National Basketball Association (NBA).

The two new top trends malicious actors employ are automating ransomware with a human on keyboard, and "ransomware as a service."  Ransomware as a service is inexpensive and readily accessible.  "Cyber crime as a service" companies now have human resource departments and operate from countries with limited extradition laws.  An example of this is the ransomware gang Conti, which operates no differently than a legitimate corporate business.  They maintain salaried employees who are provided bonuses, performance reviews, employee referral incentives, and the coveted spot of "Employee of the Month."  The employee of the month receives a bonus equal to half their salary.

Any of the cyber security frameworks takes years to implement and this article is not meant to explain each in detail.  Rather, it is meant to make you aware that they exist and to give you a basic understanding.  The cybersecurity frameworks all promote good basic cyber hygiene.  Some of the frameworks are listed below.

ISO/IEC 27001 is composed of 18 sections with 114 total controls.  ISO/IEC 27001 is a framework that helps organizations "Establish, implement, operate, monitor, review, maintain, and continually improve an Information Security Management System (ISMS)."  It is a joint operation between the I.T. department and the human resources parts of the business.  ISO/IEC 27001 certification demonstrates that organizations have invested in the people, processes, and technology (e.g., tools and systems) to protect an organization's data and provides an independent, expert assessment of whether your data is sufficiently protected.  Reports and policies must be proven to be effective to the auditors.

Information Governance

HIPAA is composed of five main elements and the CFR Part 164, Parts C, D, and E.

First, let's define Information Governance (IG).  It is the process of aligning the management and the control of information with business objectives and regulatory compliance requirements.  IG in healthcare sets corporate principles for addressing data-related challenges, such as ensuring the confidentiality and security of patients' data.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.  HIPAA improves efficiency in the healthcare industry, improves the portability of health insurance, protects the privacy of patients and health plan members, and ensures health information is kept secure and patients are notified of breaches of their health data.  HIPAA was based off of The Health and Clinical Health Act (HITECH).  It encouraged health care providers to adopt electronic records and improve privacy and security protections for all of healthcare data.  HITECH was enacted under Title XII of the American Recovery Act.  It has five goals: to improve quality, to improve safety, engage patients in their care, increase coordination, and improve population health status.  It was enforced by the Office of the National Coordinator (ONC).

CIS Security Controls

There are 20 sections (sometimes called the SANS Top 20) with 178 sub-sections.

Center for Internet Security (CIS) 20 is a prescriptive, prioritized, and simplified set of cybersecurity best practices.

How are CIS Security Controls implemented?

• Step 1:  Take inventory of your assets.
• Step 2:  Measure asset controls.
• Step 3:  Perimeter defenses.
• Step 4:  Detect and respond to incidents.
• Step 5:  Evaluate the most critical gaps.
• Step 6:  Plan and implement your controls.
• Step 7:  Train and monitor users.
• Step 8:  Test your controls.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is composed of 12 sections with 288 controls.

The PCI DSS is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.  The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes.  The major credit card schemes are: American Express, Mastercard, Discover, Visa, and JCB.

The PCI standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.  The Card Holder Data Environment (CDE) is comprised of people and techniques that store, process, or transmit cardholder data or sensitive authentication data.

Federal Financial Institutions Exam Council (FFIEC)

This is a framework (cyber assessment tool) for measuring cyber security risk and preparedness in the financial industry.  The FFIEC provides a cyber security assessment tool to help organizations better understand and address their cyber security risk.  It is a five member agency responsible for establishing consistent guidelines and uniform practices and principles for financial institutions.  FFIEC guidelines provide financial institutions with expectations for compliance.

The below is not framework but recommended models:

FedRAMP - Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  This approach uses a framework that saves costs, time, and staff required to conduct redundant agency security assessments.  FedRAMP Ready indicates that a Third-Party Assessment Organization (3PAO) attests to a CSP's readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP Program Management Office (PMO).  Because FedRAMP is mandatory for all cloud services used by federal agencies, you won't be able to do business without getting your FedRAMP authorization.  Your organization is potentially missing out on a lot of revenue if you choose not to pursue compliance.

The below is a not a framework but a standard:

Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and is a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

FIPS 140-2 has four levels of security:

• FIPS 140-2 - Level 1:  Level 1 has the simplest requirements.  It requires production-grade equipment and at least one tested encryption algorithm.  This must be a working encryption algorithm, not one that has not been authorized for use.
• FIPS 140-2 - Level 2:  Level 2 raises the bar slightly, requiring all of Level 1's requirements, along with role-based authentication and tamper-evident physical devices to be used.  It should also be run on an operating system that has been approved by Common Criteria at EAL2.
• FIPS 140-2 - Level 3:  Level 3 is the level the majority of organizations comply with, as it is secure, but not made difficult to use because of that security.  This level takes all of Level 2's requirements and adds tamper-resistant devices, a separation of the logical and physical interfaces that have "critical security parameters" enter or leave the system, and identity-based authentication.  Private keys leaving or entering the system must also be encrypted before they can be moved to or from the system.
• FIPS 140-2 - Level 4:  The most secure level of FIPS 140-2 uses the same requirements of Level 3 and desires that the compliant device be able to be tamper-active and that the contents of the device be able to be erased if certain environmental attacks are detected.  Another focus of FIPS 140-2 Level 4 is that the operating systems being used by the cryptographic module must be more secure than earlier levels.  If multiple users are using a system, the OS is held to an even higher standard.

In conclusion, all of these frameworks are important because criminals want cash, things that can be turned into cash, and information someone else would find valuable.

In 2021, REvil's domain was hacked by another gang, Emotet returned with Cobalt Strike, and BlackMatter used tools from Darkside, Revil, and LockBit.  SQUIRRELWAFFLE was observed using office documents that infected systems with Cobalt Strike.  To defend against future threat actors, Microsoft purchased Section 52, which is a world class team of defenders, IoT/OT security researchers, and data scientists.

I'll end with a couple of acronyms: The CIA Triad (Confidentiality, Integrity and Availability) is a common model that forms the basis for the development of security systems.

The DIE Triad (Distributed, Immutable, Ephemeral) serves as an alternative to the CIA Triad that reduces our security burden, enables us to achieve true resiliency, and move towards anti-fragility.