Recent criticism of the National Institute of Standards and Technology's (NIST) cybersecurity guidelines for federal agencies raises the logical question: if government networks are at risk, how can I possibly ensure that my operation is protected? One place to start is the IT Security Essential Body of Knowledge from the United States Computer Readiness Team (US-CERT).
First, the back story. There are always recommendations, lists and guidelines floating around. Most of the time this stuff is boilerplate, and we all realize there's a big gulf between what some working-group committee puts down on paper and what you can accomplish, practically speaking, in the real world. Not to mention the time and budget issues (as in, there's never enough of either).
Yet this subject kept bubbling up for me as I read the slew of government cybersecurity stories over the past few weeks. First came the resignation of White House acting Senior Director for Cyberspace Melissa Hathaway on August 4. Shortly thereafter, US-CERT Readiness Team Director Mischel Kwon submitted her resignation a few weeks ago, too. Then the Department of Homeland Security's National Cyber Security Center said it would deploy a wiki to foster cybersecurity collaboration among federal agencies.
But the biggie was the report from the Cyber Security Institute, which raised alarms about whether government systems are adequately protected from new threats like cybercriminal mobs from Russia or the Chinese military.
This time around, I don't think the alarmists are crying wolf. The threat from organized cybercriminals is real. Also, the protection lapses of government networks are probably duplicated by most commercial setups. This spurred me into surfing around to see if I could find any "lessons learned," which are broadly applicable. So here are two:
An interesting site called Technolytics has posted a white paper entitled "The Second Stimulus Package: Focusing on Protecting Critical Infrastructure Cyber Protection" (get the pdf here). I don't know what stimulus has to do with anything, but the paper makes a very good point about the presence of obsolete equipment in a network and how that can caused increased security risks. Software updates and patch management for older systems is a problem. Probably many operations don't even bother with this stuff.
We all know this line of thinking. Say, for instance, I've got an old Windows NT workstation that is chugging away. I'd rather not touch it, because if I do, I know it's gonna "break" and then what do I do? Replace it? Upgrading random pieces of old equipment is asking for a game of network pick-up-sticks. (Pull one thing out, something else breaks.) Plus, there's usually no budget for this stuff.
OK, so the second doc I found, which is the point of this post, is the US-CERT's IT Security Essential Body of Knowledge (get the pdf here). It's one of those broad competency frameworks intended to set a skills baseline for security practitioners. The 51-page document reads much like you'd expect from a government tome. The only thing missing was a "this page intentionally left blank," which actually is the one good idea I've always thought should've carried over to civilian documentation.
However, it does contain some useful checklists, which you can use to inventory whether your practices are pointed in the direction they need to be to protect your network. Here's the one I thought was most useful, from section 2.7.3 under the heading "Implement" (Check out section 2.7 for a fuller list):
2.7.3 Implement
- Prevent and detect intrusions, and protect against malware
- Perform audit tracking and reporting
- Apply and manage effective network domain security controls in accordance with
enterprise, network, and host-based policies
- Test strategic network security technologies for effectiveness
- Monitor and assess network security vulnerabilities and threats using various technical and non-technical data
- Mitigate network security vulnerabilities in response to problems identified in
vulnerability reports
- Provide real-time network intrusion response
- Ensure that messages are confidential and free from tampering and repudiation
- Defend network communications from tampering and/or eavesdropping
- Compile data into measures for analysis and reporting.
OK, so it's a start. I'd be interested to hear whether readers think the cybersecurity threat is more serious today than previously, and whether something like the checklist above is useful.
Follow me on Twitter.
Write to me at [email protected].
