The NIST Cybersecurity Framework is proposed by the U.S. National Institute of Standards and Technology. Through systematic and structured standards, it helps companies examine the deficiencies of their own cybersecurity defenses and make enhancements for specific projects. For a basic introduction, please refer to this article.
Based on the five areas of the NIST Cybersecurity Framework, this article provides tips for checking the status of enterprise cybersecurity defenses, aiming to help enterprises & organizations enhance their cybersecurity defense capabilities and achieve high-level cybersecurity resilience goals.
Identify
First, you need to make a list of corporate digital assets to clarify which are important digital assets and need to be protected. You also need to make a list of software to understand which software may have vulnerabilities. You need to refer to the original manufacturer information and update it.
Enterprises should also establish data management policies, system privileged account management lists, etc., to understand the internal cybersecurity situation. Other specific matters that can be carried out include: following the 321 principle and backing up data; preparing external service partners (cybersecurity team, legal team, public relations team), purchasing cybersecurity insurance, conducting education and training, and conducting cybersecurity drills.
Protect
Enterprises should block the channels for attackers to invade, add protection to all possible attack channels, conduct complete permission control, and adopt the principle of least privilege.
Specific measures include:
Setting:
- Network segment planning policies and implementation
- Security setting policy and ongoing maintenance and confirmation: system accounts, firewalls, external services
Account:
- Account Security Policy and Continuous Verification
- Account management, password specifications, permission application and deactivation, privileged account specifications and management
- Externally accessible account policy and management: MFA, least privilege
Vulnerability management:
- Vulnerability management and update process, rights and responsibilities, and assurance mechanism
Defense:
- Establish defense measures against various intrusion channels: IPS, WAF, EPP, etc.
- Ensure defense mechanisms are updated
- Intrusion pipeline restriction and management: for example: disabling flash drives
Detect
It is recommended that enterprises collect complete records (logs), deploy suspicious traffic or behavior monitoring mechanisms, and proactively look for any suspicious traffic or behavior.
Regarding the alerts issued by the cybersecurity solution, important alarms should also be distinguished, and the attack situation should be understood from them, so that appropriate resources can be deployed for the cybersecurity response.
Respond
The goal of "response" is to minimize losses, quickly resolve situations, and find the cause of the intrusion.
If the above steps can be implemented in a step-by-step manner, it will help reduce corporate losses. Therefore, companies should formulate incident contingency plans at ordinary times, specifically listing how team members should respond when encountering a security incident, so as to avoid the actual occurrence of security incidents. Failure to respond appropriately.
Specific executable measures include:
Control hierarchy
Control hierarchy
- Confirm the damage and scope of impact, control the situation, and reduce losses
Record
- Retain evidence and ensure various system log collection mechanisms, centralization and backup
Investigation
- Tracing the cause of the intrusion and assessing the damage
Contact
- Internal and external contact, reporting window and rights and responsibilities, coordination, internal and external explanations
- External team assistance and reporting
- Seek assistance from legal affairs, public relations, and insurance companies
Team
- Seek assistance from the security incident response team (please refer to this article for details)
Policy
- Cybersecurity incident response (incident response) process
- Standardized notification process
- Compliance
Recovery
The goal of "recovery" at the core of the framework is the data backup and recovery mechanism. Enterprises should do system recovery and service recovery according to standard procedures. And it’s crucial for enterprises to formulate a disaster recovery plan and business continuity plan in advance, and execute drills.
In addition, if you are attacked by ransomware and the attacker demands a ransom for your data, companies must also plan for negotiations and prepare for ransom payments.
TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers in Asia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences. Our threat intelligence research expertise and solutions are recognized as the 2023 Company of the Year Award in Taiwanese Threat Intelligence by Frost & Sullivan.
Contact us and start cyber defense plan: https://teamt5.org/en/request-information/
Related Post
Products & Services
2023.07.03
What is the NIST Cybersecurity Framework? What are the Core Concepts?
cyber security, cyber governance