The Protect Function of the NIST Cybersecurity Framework
Introduction
We previously looked at The Identify Function of the NIST Cybersecurity Framework and saw how the intended purpose is to identify assets, assess their value, identify threats/risks, determine the likelihood of a successful attack, identify what controls and policies can be implemented to protect and mitigate the risk and finally identify the best way to respond once an attack occurs.
Moving on to the Protect Function
After completing the Identify function, you should have a good understanding of the assets and resources that are critical to your organization and the risks and threats that they face. With this knowledge, you can now begin to implement controls to protect your organization from cyber threats.
There are two types of controls that you can implement: technical controls and operational controls. Technical controls are tools and technologies that are used to protect your organization's systems and networks from cyber threats. These can include things like firewalls, antivirus software, and access controls. Operational controls are the processes and policies that are put in place to ensure that your organization's systems and networks are being used safely and securely. These can include things like password policies, user training, and incident response plans. By implementing both technical and operational controls, you can create a strong defense against cyber threats and reduce the risk of a successful attack.
Technical Controls
One key aspect of the Protect Function is implementing technical controls. Technical controls are measures that can be implemented to protect against potential threats and vulnerabilities on a technical level. These controls can help to secure networks, systems, applications, and data from cyber attacks, data breaches, and other types of incidents. Some examples of technical controls include:
Firewalls: These are hardware or software-based systems that act as a barrier between a network and the internet, blocking unauthorized traffic and allowing only authorized traffic to pass through.
Antivirus software: This is software that is designed to detect and remove malware, such as viruses, worms, and Trojan horses, from a computer or network. Some examples of antivirus software include McAfee, Symantec, and Kaspersky.
Access controls: These are measures that regulate who has access to a system or network and the level of access they have. Access controls can include user authentication, which involves verifying the identity of a user before granting access, and authorization, which involves granting specific levels of access based on a user's role or responsibilities.
Encryption: This is the process of converting data into a code to protect it from unauthorized access. Encryption can be used to secure data in transit, such as when it is transmitted over a network, or at rest, such as when it is stored on a device or server. Some common encryption techniques include symmetric key encryption, where the same key is used to both encrypt and decrypt the data, and public key encryption, where a pair of keys is used, with one key used to encrypt the data and the other used to decrypt it.
Network segmentation: This involves dividing a network into smaller, more secure segments to reduce the risk of a data breach or cyber attack. Network segmentation can be implemented using hardware or software-based solutions, such as virtual LANs (VLANs) or firewalls.
Intrusion detection and prevention systems (IDPS): These are systems that monitor a network for suspicious activity and alert administrators or take automated action to block or prevent an intrusion. IDPS can be implemented using hardware or software-based solutions, such as network-based IDPS (NIDPS) or host-based IDPS (HIDPS).
Physical security: This refers to measures that are taken to protect physical assets, such as computers, servers, and data centers, from unauthorized access or damage. Physical security measures can include locks, security cameras, and access control systems.
Operational Controls
Operational controls are measures that an organization puts in place to protect against cyber threats and ensure the secure operation of its systems and networks. These controls can include policies, procedures, and practices that are designed to prevent, detect, and respond to cyber threats. Some examples of operational controls include:
Employee Awareness Training: This helps protect organizations from cyber threats by educating employees about the types of threats they may encounter, such as phishing attacks, as well as how to recognize and respond to them. By educating employees about these threats, organizations can reduce the risk of a successful cyber attack and minimize the impact if one does occur. This type of training is typically delivered through a combination of in-person sessions and online resources and should be regularly updated to keep employees informed about the latest threats.
Access Control: This is both a technical control and an operational control and can include measures such as password policies, multi-factor authentication, and role-based access controls, which are designed to ensure that only authorized users have access to sensitive resources.
Patch Management: This is the process of regularly applying updates and patches to software and systems to fix vulnerabilities. These updates can include security patches, bug fixes, and feature improvements. It is important to keep systems and applications up to date with the latest patches to ensure that they are secure. This can be done manually by an IT administrator or can be automated through the use of patch management software.
Incident Response: This involves having a plan in place to quickly and effectively respond to a cybersecurity incident, including identifying the cause, containing the damage, and restoring affected systems.
Data backup and recovery: This involves regularly backing up important data and having a plan in place to recover it in the event of a cyber-attack or other disaster.
Operational controls are critical for protecting against cyber threats and ensuring the secure operation of an organization's systems and networks. By implementing strong operational controls, organizations can reduce the risk of a cyber attack occurring and minimize the impact if one does occur.
Additional Considerations
After implementing technical controls and operational controls, there are still a few other important steps to consider as part of the Protect function. These include:
Testing and monitoring: It's important to regularly test and monitor your defenses to make sure they are effective in protecting your organization from cyber threats. This can include conducting penetration tests, which involve simulating a cyber attack to see if your defenses can withstand it, as well as running vulnerability scans to identify any weaknesses in your systems and applications. It can also involve reviewing log files to identify any unusual or suspicious activity. By regularly testing and monitoring your defenses, you can ensure that they are working as intended and identify any areas that need improvement to better protect your organization from cyber threats.
Incident response planning: It's essential to have a plan in place for how to respond to a cyber incident if one occurs. The plan should outline the steps that need to be taken to contain the incident, which means stopping it from spreading and causing further damage. This might involve things like shutting down certain systems or disconnecting from the internet. The plan should also include steps for eradication, which means getting rid of the problem and returning things to normal. This might involve things like removing malware or restoring systems from backup. The plan should also include steps for recovery, which means getting your organization back to business as usual. This might involve things like recovering lost data or reopening systems that were shut down during containment. Finally, the plan should include steps for reporting, which means letting the appropriate people know about the incident and what happened. This might involve things like notification to law enforcement or regulatory agencies.
Review and update: Finally, it's important to regularly review and update your defenses to ensure that they are still effective and to address any new threats or vulnerabilities that may have emerged. This means checking in on all the measures you have in place to protect your organization from threats and making sure they're still working well. It's also important to look out for new threats that may have come up since you last checked, and to make changes to your defenses to address those new threats. To do this, you'll want to review your risk assessment, which is a list of all the risks your organization faces and how you're protecting against them. You'll also want to check in on your technical controls, which are tools and measures you use to protect your systems, and your operational controls, which are the policies and procedures you have in place to keep your organization safe. By regularly reviewing and updating these things, you can make sure your defenses are always ready to protect your organization from cyber threats. This process may involve implementing new security measures, updating existing ones, or revising policies and procedures to better address new threats. It's important to stay vigilant and proactive in this process to ensure that your organization is as secure as possible.
Conclusion
The Protect Function in cybersecurity risk management is all about taking steps to prevent cyber threats from affecting your organization. This includes implementing a variety of measures, such as technical controls and operational controls, to reduce the risk of a cyber attack and minimize the impact if one does occur. Technical controls are measures that use technology to protect your organization's systems, data, and networks. Examples of technical controls include firewalls, antivirus software, and access controls. Operational controls, on the other hand, are measures that involve processes and procedures to ensure the security of your organization. Examples of operational controls include employee awareness training, patch management, and incident response planning. By implementing a combination of technical and operational controls, you can effectively protect your organization against cyber threats.