Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
3/5/2015
09:50 AM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

How Secure Are You?

The NIST Cybersecurity Framework can help you understand your risks.

Are you secure? Unfortunately, there is no way to prove that no one can breach your security. You can be compliant with any number of different regulations and frameworks and still be caught by some new attack or unanticipated vulnerability. That is one reason I like the Framework for Improving Critical Infrastructure Cybersecurity, released last year by the National Institute of Standards and Technology (NIST).

This security framework is different from other security regulations and frameworks because it is a process- and risk-management tool, not a static checklist or set of compliance requirements. Over the past year, we ran a pilot project with this framework in the Intel IT department to see how it works in the real world and how it compares to our existing security posture and processes. One of the most valuable lessons learned was how the framework improved visibility and facilitated discussions about risk throughout all levels of the company. Using the framework, we developed a heat map of our risk scores in several categories under the five major functions: identify, protect, detect, respond, and recover. Our CISO and the core security team established the desired target scores and their evaluation of the current scores in each area.

Then, without revealing the targets or the core team’s numbers, we asked several subject-matter experts throughout the company to score their own worksheets. Comparing these worksheets identified key issues for discussion, including a large gap between core team and SME scores, education and visibility issues, and a positive or negative gap between current and target numbers, indicating areas of under or overinvestment. Categories with a low score were expanded into subcategories (e.g. computing assets expanded to laptops, tablets, mobile, servers, storage, and network) to find the specific areas in need of improvement.  

The five functions emphasized to everyone that security is more than detect and protect. Identifying data and tasks that require protection helped us highlight areas that needed further assessment. Developing the target scores supported better informed discussions on risk tolerance. The respond and recover functions underlined the need to be prepared to act quickly in the event of a breach to contain the damage and inform those affected. And the whole process enhanced our communications by harmonizing our language and terminology and helping us to recognize areas of difference and disconnect.

Our experience with this framework has been very positive, and we plan to continue to use it throughout Intel and with our suppliers and partners. I would encourage any size organization to evaluate and implement it also. When you do, we have a few suggestions to share from our initial project:

  • Do it yourself. This is a process for discovery and discussion, not a checklist or assessment that can be done by a consultant.
  • Start small and easy.  It’s best to start with a small group that is comfortable with at least some of the language and technology, not across the whole organization.
  • Customize for you. This is not a one-size-fits-all framework. Tailor the components for your business and technology environment.
  • Work with decision makers. Risk management is not a static process, and it touches all levels of the organization. Engage them early and continually.

This framework began with collaboration between government, industry, and non-governmental organizations. Our best bet for better security is to continue that approach, protecting privacy and civil liberty, while promoting innovation and the use of the Internet for global economic development.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.