As it turns out, securing the network is hard. A securely optimized network is complex to deliver and is only as good as you’ve built it today. And it starts all over again tomorrow with change management as your organization adds and removes users, adds and removes services, updates security policy, on and on Infinitum. The best you can do is point-in-time security management.
One of the many complexities to network security is as your organization’s security professional, getting your team’s arms around the hundreds of security standards, and for those networks that require it, the annoying and what can be a financially painful concept of security compliance. Where do you start? Which standards are you needed to be held accountable? How do you quantify risk? And where do you prioritize your always limited financial budget? Are controls the priority, or are your security policies and procedures more vital to minimizing risk? Securing the network is complex, indeed.
I have the privilege of supporting some of the most influential and most dynamic networks in the Pacific Northwest. These networks, although different, all have similar qualities; great teams support them, and all of them have the same challenges as you in your IT systems.
Start by Baselining the Network
The first step to securing a network for C-levels and network administrators always needs to begin by baselining the network. Creating a baseline of the network can be a real challenge for many organizations because often network admins are new to the environment and don’t yet have their arms around what they need to manage day-to-day to keep the lights on. Or because lean IT principles are governing the network, day-to-day changes and modifications are occurring timely, but the network documentation reflecting the changes becomes out-of-date. The network documentation such as drawings, device configuration, and changes in policy continually gets pushed down the road. It’s time to minimize the network’s dynamic nature by enforcing a change freeze and get your documentation in order.
Network Self-Assessment Using the NIST Cybersecurity Framework
Your software patching is out of date. Your technical controls are aging and need to be refreshed. You haven’t been in the firewall for a long time, and your rules are out-of-date. Before you hire a costly outside party to assess your security program and tell you many things you already know, perform a self-assessment. There are many guidelines and frameworks that you can choose from to measure yourself against. Still, one of the most popular guidelines used in today’s network is the NIST Cybersecurity Framework (NIST CSF).
The NIST CSF includes all of the fundamentals in security program accountability without having to review hundreds of controls. NIST CSF is about narrowing down your measurement and accountability of security and risk management into five silos; how you Identify, Protect, Detect, Respond, and Recover from security threats. Initially published by NIST in February 2014, and updated in 2017 and 2018, version 1.1 of the NIST CSF is a straight-forward and easy to follow 55-page guideline. Version 1.1 of the guideline provides an introduction of the framework, a review of the security basics, and then the meat of the document explains how to perform a self-assessment.
The Target State and Your Security Target Profile
Once you have performed your self-assessment using the CSF as your framework, you will have created according to NIST your organization’s “Current Profile.” Your Current Profile is your organization’s “as is” state. And once you have developed your “as is” state by updating your network documentation and performing your self-assessment, you will build your “Target Profile.”
By reviewing all of the categories and subcategories of the CSF and based on your organization’s business drivers and how you measure risk, you will determine what your security program’s priorities to address organizational risks are. By using your organization’s Current Profile and measurement of your progress against business and risk priorities, you will have fine-tuned your desired network end-state, your Security Target Profile.
According to NIST, “The Current Profile indicates the cybersecurity outcomes that are currently being achieved. The Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals.”
Now it’s Time for an Outside View
Now that your organization has a proper accounting of its Current Profile and the defined network end-state (Target Profile), based on your company’s unique measurement of organizational risk, it is time to perform a gap assessment. For most organizations that do not have their own Security Operations Center (SOC), it is time to engage an outside security consulting firm. The security assessment’s goal is to identify and evaluate your program’s gaps and remediation priorities to reach that end-state Security Target Profile.
The typical security gap assessment will involve three project milestones; a vulnerability assessment, penetration testing, and a review of your program’s security policies, methodologies, and procedures using a security guideline such as NIST CSF. The tools used by a professional outside security consulting firm are many and robust. The assessment team will utilize a suite of professional vulnerability scanners as well as open-source tools to mimic both white hat and black hat scanning methods. There are, for example, more than 1500 documented common vulnerability and exposure (CVEs) in the top four utilized Internet Browsers alone.
The team will then pivot from the identified exposures in the network and perform exploits (penetration testing.) Penetration testing from outside the network is from the view of a hacker, and from inside the network, a perspective of insider threat.
And in the last phase of the gap assessment, the security program is reviewed regarding security policy, security controls, and security incident management and remediation. Does your organization have the right controls in place? Does your organization have Active Directory management procedures to remove terminated and old/stale network accounts? And does your organization, if a security breach were to occur, have a communication plan to notify the authorities, the press, employees, and customers?
So, securing the network is hard, is complex, and the hackers only have to get it right once, whereas you have to get it right every single time. Be diligent. Be honest with your supervisors and your peers about your weaknesses while also being open about what you are doing to fix it. And then, when your program is ready, measure it, test it, and assess it from an outside view. With every vulnerability remediated, your program gets better. With every software patch applied, your software, devices, and users get stronger. And with every new security policy applied aligned with your business priorities to minimize risk, you will be that much closer to your Target Profile.
Here’s to hoping your Security Target Profile brings you Amplitude, Enormity, and Magnitude with your Zeros and Ones.