Today we talk about how you can use Step 1 of the NIST Model to mitigate Cyber Security Risks in your Enviroment. The First step to to take an inventory of your enviroment so you can understand what you are trying to defend. Kip Kirchberg is an International Cyber Security Expert who has experiance building Cyber Security Teams and working with fortune 500 organizations. Experiance includes but is not limited to Building SIEM paltforms Endpoint Security 3rd Party Remote Access Industrial Control Systems NextGen Firewall’s Helping Organizations Identify Cyber security Risks Generationg Reports that lead to actionable data Build and maintain Incident Reponse Team Draft and Adopt Corperate Cyber Security Governance Internal and External Pen Testing plus much more….
Did you know that this year there’s going to be over 20 billion devices connected to a network? That’s right 20 billion devices and it should come to no surprise to anyone that with this many devices connected to networks that these become easy targets for cyber criminals. In fact, it’s estimated that cyber criminals are going to attack these devices and cost US businesses over 6 trillion dollars. So you’re probably asking yourself what can I do to protect my network what can I do to mitigate my cybersecurity threat landscape?
First you must understand that there is not a one-size-fits-all when it comes to cyber security. Every organization needs a custom tailored cybersecurity solution to fit their business needs. There are some basic frameworks you can use to help you on your journey to identify cyber security risk within your organization and develop a plan to mitigate those risks.
Today we’re going to talk about a particular framework called the NIST framework. There are five layers to the NIST framework.
- You must Identify what assets are in your environment
- You must Protect the assets in your environment
- You must be able to Detect malicious activity
- You must be able to affectively Respond to threats. This is where a trained and tested incident response team is valuable.
- You must have the ability to Recover.
Today the NIST framework we’re going to we’re going to focus on step one. Step one is to identify what assets are actually living in your environment. Part two of step one is to understand what assets live in the business environment and for industrial control teams or production teams understand what assets belong in your production environment. Once there is a clear understanding of what zones each asset should be contained in then you can move forward and build some governance and rules of engagement around these devices.
Example: The business environment is maybe a little less sensitive to disruptions, however, the industrial control environment cannot afford any interruption as it runs machines operating in real time and any slight interruption could actually stop production and stop the shipping of goods. From a security standpoint this is the one thing we cannot do. To ensure you have developed, understood and agreed upon rules of engagement you can add these items into governance for all to review and follow.
Next you need to complete a cyber-risk assessment so that you understand what assets are in your environment and what their criticality is to the business. Are the assets high value assets like the core production machine or are they a low value asset like a workstation used just for checking email? From a manufacturing standpoint you must never impede or stop production as this is the core of the business that prints dollar bills and provides a livelihood to all its employees. While others can not live without email the reality is if email goes down for an hour or two there is no real interruption to revenue but rather a delay in communication. Once we categorize these devices and understand their value in the environment we can now identify their risks and quantify the value of the device should it be attacked and go offline.
Once we identify the risk associated with each asset you can develop a risk management strategy to patch or replace vulnerable devices. In some cases, there are devices that live in your environment that are 20-30 years old and simply cannot be replaced. These are typically the custom developed devices that give your organization a competitive advantage and upgrading them is simply not feasible from a financial standpoint. If you have these type of devices in your environment you will need to take the next steps and build castle walls around these devices to ensure that the devices are protected from
potential cybersecurity attacks.
To help you identify what’s in your environment you can use several software auditing tools. Some of these tools include but are not limited to Tripwire, Rapid7, Claroty, or Nessus. All these tools are good tools. The key is you must pick one, implement in your environment, strategize on generating actionable data, and take the necessary steps to move forward because doing something is better than doing nothing.
By capturing device inventory, you can identify what OS’s like Windows 7, Windows NT, Windows 10, server Oss, Unix, and Linux versions are living in your environment. Many of these tools will go a step further and also identify what industrial controls systems you have living in your environment such as Siemens, Honeywell, Rockwell, Cisco, and many others.
As part of the inventory collection these systems will report what hardware versions are running in your environment, what OS is running in the environment and sometimes what firmware. Again having this type of data about your environment will help you with your risk mitigation strategy to identify what devices cannot be patched or replaced and what devices can be patched or replaced in an industrial environment.
Again, It’s proven that some devices in an industrial environment have been there 20 to 30 plus years. Definitely not something that is easy to replace. Having this data helps you develop a strategy and build a plan to protect the asset.
Inventory and vulnerability management can be a very tough task. I’ve seen it time and time again in small, medium, large, and even enterprise businesses. They go and purchase their nice fancy tools, install them in their environment, and do a full scan to gather their inventory. Once they get a full report of the vulnerabilities in their environment they quickly become overwhelmed with information and suffer from paralysis by analysis. Simply because they don’t know what the next steps are.
This is where somebody like a third party can help. A 3rd party can help you analyze what are the assets
you have living in your environment, what are the vulnerabilities associated with each asset, and help you take the next steps to develop a strategy to address your vulnerabilities.
These steps can include plans to patch vulnerabilities, steps you can take to wall off particular assets, or help you determine if an asset cannot be patched or replaced and help you develop the best option to ensure the asset is protected from potential Cyber Security Attacks.
The key here is first identifying what do I have, what vulnerabilities are living in my environment, and then
building the strategy to mitigate your risks. At the end of the day you can’t protect or defend what you don’t know you have or don’t know that’s living in your environment.
If you or your organization has any questions on how to implement any of these processes or
procedures please feel free to reach out and I’ll be glad to sit down and discuss
these items with you.