[3 min. read]
by Allan Jacks, vCISO
As my roles changed, one of the most challenging times was when I had to complete an internal
audit in my role as an Engineer. I had to learn what controls were and about collecting evidence.
No longer was it acceptable to just have a task list with monthly to-dos checked off. The
document had to have the person’s name detailing who completed it, the time and date of
completion, and any comments that would reference any action taken or not taken. The internal
auditor then gave me a rundown on some things that would help me including an understanding
of what a control is.
A control is a set of rules or procedures implemented within a company to ensure the integrity of
data and processes that a system supports. Common controls are things such as backup controls,
separation of duty controls, and physical security controls.
As you read through articles or security websites, you may see references to CIS Controls.
The Center for Internet Security (CIS) is a “community-driven nonprofit, responsible for the CIS
Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and
data. We lead a global community of IT professionals to continuously evolve these standards and
provide products and services to proactively safeguard against emerging threats.”
In May 2021 CIS launched the latest version of the CIS controls v 8.0 which took the list of 20 controls to 18.
These controls address areas of IT risk and form the foundation for a strong cybersecurity
program. The CIS Controls are an international-level collection of the best security practices to
implement.
Each item is a starting point that defines controls that guide security improvement within your organization. CIS Control 01 Inventory and Control of Enterprise Assets states:
“Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.”
If you don’t know what assets you have, how do you go about protecting them? It also allows you to know when you see an asset that is not on this list, that an action should be taken. You can have a policy and a supporting control that only authorized and approved devices are allowed on the network. For any device not listed in this inventory, a defined action needs to be taken.
CIS is focused on protecting and tracking high-risk areas of the business by using controls. They should be considered a good starting point for organizations to implement and allow their focus to initially be the protection of the business’s high-value assets.
The CIS Controls are not a replacement for other existing frameworks such as NIST 800-53, NIST Cybersecurity Framework, or ISO 27000, but you will find many of the controls mapped to these frameworks. If the CIS controls are a company’s initial focus, this will allow the groundwork for further implementations of other frameworks. The controls comply with the most applicable laws and security safeguards.
Not every business will have the means or budget to implement all the controls, so CIS developed three different implementation groups with recommendations for safeguards for each group.
Has 56 safeguards and is focused on protecting IT assets and personnel for small to medium-sized businesses.
Has 130 safeguards and typically has multiple departments and risks based on job functions.
Has 153 safeguards, and the organization typically has sensitive information and regulatory and compliance requirements.
The implementation of CIS Controls is a great starting point for organizations to implement especially if they don’t have Governance requirements to follow a specific framework. Implementing the controls will mature the organization’s cybersecurity maturity level and will assist in minimizing exposure and risk leading to Cyber-Attacks and threats.
At Morefield, we can assist in the implementation of these controls and provide recommendations and guidance for fulfilling the requirements of each control. Contact us today!
References:
[3 min. read]
by Allan Jacks, vCISO
When I started my career in the military, I wanted to do all the cool stuff I heard about from my recruiter. But then week one started into my 6-month initial training course. I was given what seemed like a mountain of books to use and reference. Many of them were published by the Combined Communications Electronics Board which prescribed standards to be used when conducting communications within member nations. For successful communication, you must speak the same language and when it came to electronic communications, it had a standard and protocol that all who were involved adhered to.
This allowed successful communications between multiple parties to occur in an orderly manner.
As an engineer, we like to have order in our world, and by following templates, rules, guidelines, and best practices, we understand what to expect when implemented correctly.
A framework is exactly that!
From the NIST glossary, a Framework is defined as:
“A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.”
NIST developed the Cybersecurity Framework in 2014 to provide voluntary guidance for critical infrastructure organizations.
Even though this framework may have been focused on critical infrastructure organizations initially, the NIST CSF is an excellent framework to follow and protect your company’s critical infrastructure. “The framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications, and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state, and local governments.”
Every company that relies on its network and the importance of its reliability should consider its network vital to economic security. The NIST Cybersecurity Framework is a proven framework to protect their business.
NIST CSF is made up of 5 core functions: Identify, Protect, Detect, Respond and Recover. These functions provide an overview of the cyclical process for managing cybersecurity risk.
First identify what your business’s core function is, what is the mission, and why it exists. What are the core assets that make up the business that needs to be secured? These can include physical assets and people. To continue the business, what third parties do I need to continue business successfully?
Second is the protection of the components identified to ensure the availability of infrastructure services. By protection, we limit the impact of a cybersecurity event through the implementation of policies and procedures, managing the maintenance of infrastructure, and establishing data protection to protect the confidentiality, integrity, and availability of the company’s information.
The third is to allow continuous monitoring of logs that can identify any anomalies occurring within the infrastructure that may point to a cybersecurity event.
Fourth is to detail the actions to be taken in the event a cybersecurity incident occurs. Being prepared to act and knowing what action to take before it occurs will allow an ordered process to limit the damage caused. By practicing what to do, the stakeholders will be better prepared in the event of an incident.
Finally, in the event of an incident implementing planning processes to restore assets to working order, will allow quicker return to service and return to business operations. Evaluating what went wrong, what went right, and what can be improved, will allow the optimization of the processes, and reduce cybersecurity risk to the organization.
Just like the Allied communications books that I read in the military, the NIST publications can be quite challenging to read. One does not just pick them up and follow from chapter one through the ending to fully secure your company’s system, though they do have a quick start guide which can be found here:
Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide
With the changing cybersecurity technologies and threats, NIST is currently working on updating the NIST Cybersecurity Framework to version 2.0. Information can be found here:
Updating the NIST Cybersecurity Framework – Journey To CSF 2.0 | NIST
No company is too small to follow parts of the NIST CSF and by doing so, your company will be better prepared in the event of a cybersecurity incident.
At Morefield, we can assist in providing guidance or assist you in implementing the NIST CSF Framework within your organization. Our team of experts is ready to start talking to you about your needs and goals. Contact our team now!
References
NIST Releases Version 1.1 of its Popular Cybersecurity Framework | NIST
PENNSYLVANIA (WHTM) – Some Pennsylvania residents will see a new area code come into effect starting next month.
The Pennsylvania Public Utility Commission says residents and businesses in eastern and southeastern Pennsylvania should be aware of the upcoming September 2 activation of a new 835 area code…….
Read ABC News article here – https://www.abc27.com/local-news/changes-coming-to-some-pennsylvania-area-codes-next-month/?utm_medium=referral&utm_source=facebook.com&utm_campaign=socialflow&fbclid=IwAR0deypwrROh8t3ohZ-ZHbve47rPrc_LvVMQRGzWOgECkXfTHWAH3WVdVXg
Let Morefield help, email or call with any questions- 717-761-6170 or sales@morefield.com
As internet use grows, cybersecurity becomes ever more vital to business success. With the global average data breach cost of $4.24 million, businesses need reliable cybersecurity technology and services to protect their data.
An effective tool in a business’ cybersecurity strategy is penetration testing. The penetration testing process is the most effective way for an organization to gain a complete picture of their security posture. Understanding penetration testing and how it can benefit your business or organization can help you decide whether it is a good fit for you.
Penetration testing, also called pen testing or security pen testing, is a simulated cyberattack against an organization’s security policies. The penetration team performs the attempted attack using various tools and strategies to gain access to systems and information. The primary goal is to find a system’s vulnerabilities before cybercriminals do and strengthen them against a potential attack.
Penetration testers work with an organization to test security solutions currently in place. Through penetration testing, organizations can attempt to exploit potential weak spots in the following systems:
The penetration testing process identifies issues and helps businesses implement more effective cybersecurity controls. Penetration testing can also help an organization solve problems with its:
Penetration testing involves different hacking techniques to evaluate multiple security measures. These strategies may include the following.
Penetration testing is a form of ethical hacking that exposes an organization’s vulnerabilities so it can improve its security measures. This procedure can benefit organizations that believe their data is secure but may have weak spots they want to address.
Some small businesses might not see the importance of penetration testing, thinking cyberattacks aren’t as much of an issue for them. Small businesses might also believe their data isn’t worth stealing. However, cybercriminals may find small businesses attractive targets because they lack the security infrastructure of larger corporations and organizations. Even small companies have information cybercriminals could use, including:
Small business penetration testing helps companies protect this information and proactively develop strategies for defending their systems against attack. With pen testing for small businesses, companies can learn how to manage their susceptibility to attack and gain valuable insight into the most effective information security risk management strategies.
Penetration testing is a thorough, carefully researched process with several stages.
Preparation for the penetration testing process is essential. The organization and testing team must agree on the test’s goals and scope. In this stage, the organization decides the test’s timing, which methods to use, who should know about the test, and how much information the testers will have.
In this stage, the testers conduct reconnaissance and gather as much information as possible about the targeted network, systems, users, and applications. Collecting information helps the test team understand how their target works and identify its potential vulnerabilities. The test team might gather information such as:
During the penetration attempt, testers seek to bypass the organization’s security controls and gain access to systems and applications run by the organization. The testing team analyzes the organization’s weak spots through scanning and other tools. The team exploits any known vulnerabilities, including the organization’s staff. Depending on their goals, the team may see how far they can infiltrate the system and how much data they can obtain.
After the testing team is complete, the testers prepare a detailed report communicating the access they were able to achieve and the vulnerabilities they exploited to gain this access. The results of penetration tests are valuable security planning tools because they describe the vulnerabilities that an attacker might exploit to gain access to a network. The report also includes advice on improving the organization’s security posture.
At the conclusion of the penetration test, pen testers should be careful not to leave a trace of their presence in the organization’s network. Testers should remove any tools that they installed on systems as well as any persistence mechanisms that they put in place. Attackers could leverage any evidence the testing team leaves behind.
Penetration testing is most effective when completed over time. The organization can use the testing report to implement security solutions in preparation for potential attacks. However, hackers and technology are constantly changing. With multiple tests, organizations can continually improve their processes.
Businesses and organizations that have never performed penetration testing might have questions about the process. Here are answers to some common penetration testing questions.
Penetration testing can be on-site or remote, depending on the testing team’s capabilities. Remote penetration testing provides several advantages.
Businesses should have regular penetration testing to ensure their networks and systems are effective against emerging cyber threats. It can also be beneficial to have penetration testing done whenever security changes significantly, such as when the organization:
Penetration tests are comprehensive evaluations of an organization’s network security that provide detailed recommendations for enhancing protections. As with other cybersecurity services, the cost of penetration testing varies depending on several factors:
4. What are the Benefits of Penetration Testing?
Penetration testing is a valuable strategy for improving your organization’s ability to resist cyberattacks. The process arms organizations with insight into their systems and the tools they need to improve them.
When you need penetration testing for your organization, turn to Morefield. We offer a range of business security and IT services to help businesses and organizations understand their security needs. With over 70 years of experience in the industry, we provide unmatched customer care and expertise.
If you’re interested in all-inclusive managed IT services, contact us today or read our customer testimonials to understand our work better.
