What’s New in NIST’s Cybersecurity Framework (CSF) 2.0

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF
NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

Since 2022, the National Institute of Standards and Technology (NIST) has been working on major updates to its Cybersecurity Framework (CSF), a set of guidelines and best practices for cybersecurity which enjoys wide adoption among federal organizations and private businesses of every size.

Now that update has finally arrived in the form of a draft issued on August 8th, 2023, and not a moment too soon. With five years elapsing since CSF 1.1 was released in 2018, experts agree that the framework is long overdue for an update reflecting changes in the global threat landscape, and the evolving needs of organizations in both the public and private sector.

To that end, the CSF 2.0 draft largely conforms to proposals outlined by NIST in a concept paper earlier this year. Among other things, it adopts a broader focus extending the scope of CSF beyond its original audience of critical infrastructure operators. It also incorporates a new security function, extended guidance for supply chain security, and more.

In this article we’ll explain how NIST CSF works, how things are changing with CSF 2.0, and why your business should become CSF 2.0 compliant.

What is NIST CSF?

The earliest version of NIST CSF (1.0) was released in 2014, with the now largely forgotten title ‘Framework for Improving Critical Infrastructure Cybersecurity’. But despite its critical infrastructure focus, the framework outlined by CSF is conceptually simple, with wide application to a variety of organizations.

NIST CSF is comprised of three high-level components, a fact which has not changed with the release of CSF 2.0:

  • Core functions – CSF core functions correspond to basic cybersecurity practices and outcomes. The basic functions – “Identify”, “Protect”, “Detect”, “Respond”, and “Recover” – are further broken down into categories and subcategories.
  • Implementation tiers – CSF tiers objectively measure how closely an organization’s existing cybersecurity program conforms with the practices described by the core framework.
  • Framework profiles – CSF profiles help organizations to align their organizational requirements, objectives, risk tolerance and resource against desired outcomes of the framework.

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

Unlike other NIST standards – such as 800-171 and 800-53 – NIST CSF does not describe regulations imposed by federal agencies by their partners and contractors. In most cases, CSF compliance is not mandatory, but voluntarily adopted. Even so, the general nature of its guidance has made it a leading cybersecurity standard in both the U.S. and abroad.

Big Changes in CSF 2.0

While many changes in CSF 2.0 have been anticipated since January 2023, the draft document fleshes out details of their implementation, including the announcement of forthcoming tools and resources which will aid organizations towards CSF 2.0 compliance.

1. A Broader Scope

In CSF 2.0, NIST is embracing the reality of CSF adoption, expanding its scope from a standard focused on cybersecurity for critical infrastructure to one with much broader application. This is reflected both by a change of title – from ‘Framework for Improving Critical Infrastructure’ to ‘The Cybersecurity Framework’ – and in language changes throughout the document.

More importantly, CSF 2.0 provides increased guidance to help organizations adapt the framework to their unique mission needs, and examples to illustrate the purpose of profiles. As Microsoft argued in feedback to the CSF 2.0 concept paper, profiles are an underutilized aspect of CSF which will hopefully see wider adoption going forward.

2. The ‘Govern’ Function 

While none of the core functions in the CSF have been removed, one has been added. ‘Govern’ is a special function that intersects the original five, emphasizing cybersecurity as a source of enterprise risk, and providing guidance for how an organization can make internal decisions that support cybersecurity strategy.

NIST illustrates the overlap between ‘Govern’ and other CSF core functions with an updated graphic depicting ‘Govern’ as a circle on which the other functions are supported.

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

3. Focus on Supply Chain Security 

In recent years, the rise of software supply chain incidents – including the SolarWinds attack and Log4j zero day – have made supply chain security a central concern for federal agencies. It is a major focus of 2021’s ‘Executive Order on Improving the Nation’s Cybersecurity’, for instance.

It is no surprise then that CSF 2.0 emphasizes supply chain risk management practices under the ‘Govern’ function, drawing on other resources, such as NIST special publication (SP) 800-161r1, ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations’. It also directs readers to use the CSF itself as a standard for vetting suppliers and choosing secure partners.

4. Better Guidance 

While the general nature of CSF guidance has contributed to its success as a cybersecurity standard, some have felt that guidance is too general at times, making it difficult for some organizations to apply. Fortunately, in addition to providing increased CSF profile guidance, CSF 2.0 also includes specific examples of security processes that help achieve core functions.

This guidance has evidently been written with small to medium businesses (SMBs) in mind, as the summary of changes states: “the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively”.

5. Incorporating Other NIST Resources 

Since the release of CSF 1.1, NIST has been hard at work drafting new standards that supplement the framework well. In CSF 2.0, readers are directed to many of those standards – including the NIST Privacy Framework and Secure Software Development Framework among others – for further guidance.

Furthermore, in the coming weeks, NIST will release a CSF 2.0 reference tool which will help organizations to better understand the relationship between CSF 2.0 and other NIST standards included in its Informative References.

CSF 2.0 is a Stepping Stone to Compliance

With NIST stating that it does not intend to release further drafts of CSF 2.0 before the framework is finalized in 2024, it is safe to assume that there will not be any major changes between the draft and the final version.

Although it will not be a requirement for most federal contractors, CSF 2.0 will help businesses to form a solid cybersecurity foundation essential for compliance with NIST 800-171, 800-53 and CMMC while clarifying the risks that matter most to their business, and their ideal security position. Following NIST guidelines can also help businesses to prepare for future regulations, as state and federal governments use NIST standards to shape cybersecurity laws and guidance.

Securicon helps your business to comply with cybersecurity standards like NIST CSF 2.0 through tailored program and risk assessments. With a team comprised of veterans from the U.S. security community – including DoD, DHS, and the U.S. Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.

Why AI-Driven Tools Will Fail Cyber Defenders

AI cybersecurity, AI-driven cybersecurity, AI-powered tools, SOAR, UEBA, XDR, ChatGPT, ChatGPT and cybersecurity
AI cybersecurity, AI-driven cybersecurity, AI-powered tools, SOAR, UEBA, XDR, ChatGPT, ChatGPT and cybersecurity

Every few decades, the world goes through an “AI spring,” and we are in the middle of one right now. With accelerating progress in AI research and the arrival of emerging capabilities exemplified by tools like ChatGPT, hopes are surging that AI applications will soon help organizations to detect threats in their IT environment, prevent data breaches, and block incoming attacks with a much higher success rate.

But nothing is ever that simple. First, AI tools are part of the future for cyber defenders and malicious actors alike. As long as that is true, human expertise will always be the deciding factor in who wins and loses. Second, with IT environments increasing in complexity, expertise is needed to determine where AI can make a real difference, and where it is more of a liability than an asset.

In a previous article, we explained how VPNs can give organizations a false sense of security – not because they are not useful, but because their role in a larger perimeter security strategy is misunderstood. In this article, we will explain why the same is true for nearly any tool or set of tools, however “smart” they may be. But first let us set the scene.

Why AI-Driven Security is Desirable

In today’s cyber landscape, the allure of AI-powered tools is not hard to understand. In Q1 of 2023, cyberattacks rose by 7% over Q1 2022, with organizations facing an average of 2,057 attacks per week. At the same time, organizations are struggling to find help: today, the global cybersecurity workforce gap stands at 3.4 million, with nearly 700,000 unfilled cyber positions in the U.S. alone.

Worst of all, global cyber actors – who are always opportunistic in their pursuit of new vulnerabilities and attack vectors – are already leveraging AI for social engineering and targeted attacks. According to a study by the Cloud Security Alliance, free tools like ChatGPT can be used to find attack points, gain unauthorized access to target networks, conduct reconnaissance and develop malicious code. That does not even count specialized AI-powered toolkits passing around on the Dark Web.

AI-Driven Cybersecurity is Already Here

Clearly, organizations need all the help they can get. But none of these issues are entirely new, and AI-powered solutions are already being employed across many organizations to address them. These include:

  • Security Orchestration, Automation and Response (SOAR) –  SOAR platforms bring together data about security threats from multiple systems, offering automation for repetitive security operations center (SOC) processes, including vulnerability scanning, auditing and log analysis. SOAR platforms increasingly offer AI features to analyze information, prioritize threats, and suggest – or even execute – remedial actions.
  • User and Entity Behavior Analytics (UEBA) – UEBA tools focus on user and entity behavior, using algorithms to establish a baseline for normal activities and identify anomalous ones. Like SOAR, UEBA is often augmented with AI to generate better risk scores and flag potential threats more reliably.
  • Extended Detection and Response (XDR) – as an evolution of endpoint detection and response (EDR) systems, XDR brings threat detection and response functions to systems throughout your organization, providing a clearer picture of your IT environment and developing attacks. Like SOAR and UEBA, XDR tools are increasingly integrating AI-driven functionality.

But despite widespread deployment of SOAR, UEBA, XDR and other emerging cybersecurity products, cyber incidents have not decreased, and the need for human talent has not diminished. This picture is unlikely to change any time soon for many reasons. Here are just a few:

1. Much Assembly Required 

It is often taken for granted that AI will reduce the need for reliance on human talent – but the contrary is just as likely. The more tools organizations introduce, the more talent is needed to configure them safely, monitor their performance, and delineate their role in the midst of changing trends and priorities.

Cyber defenders already rely on a plethora of tools – but just as often as they solve problems, they cause more when they are deployed improperly. This is true in the context of cloud, endpoint detection, VPNs, IoT, and more. There is every reason to believe the same will be true for AI-driven tools, however smart they may be. At a minimum, the wrong rules will lead to overfitting (too many false flags) or underfitting (too many threats ignored).

2. AI Has Limitations 

Recent progress in AI has given many the impression that there’s no upper limit on what AI applications can achieve. But until the arrival of artificial general intelligence (AGI) (at which point organizations will have bigger problems on their hand than cyber actors) AI solutions are necessarily narrow in scope, which limits their effectiveness against human targets.

For now, any AI-driven solution can only integrate with software if the proper APIs are in place. It can only detect and respond to threats it has been trained to anticipate. It can only navigate within a realm of generally defined problems and responses.

With cyber actors innovating new attack strategies around the clock and adopting AI as rapidly as cyber defenders, the measure of a cybersecurity program will never be technology alone: it will be creativity, expertise, and an understanding of factors ranging from organization-specific issues to the way hackers think.

3. Cybersecurity is a Human Issue 

While cyber actors often aim at system intrusion and penetration of network defenses, digital exploits are nearly always downstream from human exploits. According to Deloitte, more than 90% of attacks begin with a phishing email. This is just one of many ways that malicious actors manipulate and deceive your employees into providing them with a foothold – whether that takes the form of credentials, malicious downloads, or sensitive data.

Even now, AI’s role as a hacking tool is primarily confined to the creation of personalized phishing campaigns and social media messages. While AI can potentially help organizations to identify and flag malicious messages, it will not replace cyber training and awareness to help your employees avoid the mistakes that imperil your sensitive data and assets.

Beware of False Promises

As with every new trend, vendors have been quick to jump on the AI bandwagon, offering AI features and promising the moon with it. Often, they exploit the ambiguity of the term “AI”, with products that do not leverage ML models, or any other breakthrough technologies associated with the current AI spring.

But even when they do, organizations must be wary of believing these tools provide a level of unsupervised protection beyond what their existing toolsets provide. They must resist complacency and situate any new acquisitions within a larger strategy guided by human expertise, and an awareness of their unique needs.

Securicon provides tailored cybersecurity assessments with planning and implementation for secure AI-driven capabilities. We are comprised of veterans from the U.S. security community, including DoD, DHS and the U.S. Cyber Command. In addition to providing gap analysis, compliance consulting, assessment support and more, we have the expertise to evaluate emerging cybersecurity solutions and apply them within your IT environment. To learn how we can help you, contact us today.

 

The Hidden Dangers of AMI Infrastructure: Protect Your Utility Company Now

The rise of Advanced Metering Infrastructure (AMI) has revolutionized the way utilities collect and manage data. Implementing AMI improves the efficiency and accuracy of energy consumption monitoring and billing, and provides more real time information and control to consumers. But AMI also increases the exposure of both utilities and consumers to cyber threats.

AMI installations comprise a wide range of interconnected devices – most of which are deployed out in the field – from smart meters to data gateways, as well as communication networks and data management systems. The large surface area of this AMI infrastructure and its interconnectedness create new security challenges that must be addressed by utilities and their cybersecurity partners.

AMI platforms pose physical security risks. The deployment of smart meters on customer premises means that there are now more points of access into the utility networks. Malicious actors can use physical attacks, such as tampering with the meters or the communication infrastructure, to gain access to the network. And if an attacker can compromise the AMI infrastructure, this can result in a potential threat to the entire energy grid.

Threats to AMI installations come in various forms, including:

  • Unauthorized access to customer data and system controls
  • Malware and ransomware attacks on network components
  • Physical tampering with meters and other devices
  • Distributed denial of service (DDoS) attacks on communication networks

Given the significant risks associated with AMI platforms, it is critical for utility companies to take proactive steps to protect their systems. This includes implementing robust cyber security protocols, ensuring that perimeter devices have hardened configurations, maintaining defense in depth throughout the AMI network with proper segmentation from critical infrastructure, conducting regular security assessments, and partnering with trusted cyber security experts to identify and mitigate vulnerabilities.

Here at Securicon we specialize in helping utility companies protect their AMI and other critical platforms from cyber security threats. Our team of experienced professionals can conduct thorough security assessments to identify potential vulnerabilities, develop custom solutions to address those vulnerabilities, and provide ongoing support to ensure that your AMI platform remains secure.

How Multi-Factor Authentication Can Make Your Business Safer

MFA
MFA

In today’s digitally transformed world, user access is the cornerstone of a strong security program. With people remotely logging into applications, networks, and systems, companies must implement robust identity and access management (IAM) policies, limiting access as precisely as possible.

Further, they need to verify users’ identities prior to granting access. Over the last few years, credential-based attacks have increased with the 2022 Verizon Data Breach Investigation Report (DBIR) noting that more than 40% of data breaches included the use of stolen credentials. As threat actors try to use legitimate credentials during attacks, companies need to strengthen their user authentication methods.

In response to security concerns and customer needs, Apple, Google, and Microsoft announced their commitment to expanding their support of the Fast Identity Online (FIDO) standard used for passwordless sign-ins. Problematically, devices and servers with the technical capabilities for managing passwordless logins began appearing on the market in 2014 with the 2015 release of Windows 10 offering the first FIDO-aligned operating system.

FIDO passwordless technology is one process that promotes multi-factor authentication rather than replacing it. Companies maintaining legacy technologies can – and should – still implement Multi-Factor Authentication (MFA).

What Is Multi-Factor Authentication?

MFA requires users to prove their identity prior to granting access by combining two or more of the following:

    • Something they know: a password
    • Something they have: a token or mobile device
    • Something they are: a biometric, like a fingerprint or face ID

MFA’s underlying concept is that users need to answer a “challenge” question with a response that a robot or threat actor wouldn’t be able to provide.

What is FIDO?

With FIDO technology, people can use biometric data as an authentication method. Developed by the FIDO Alliance, an open industry association, the technology is a free and open standard based on public key cryptography, using keys and biometrics that remain on someone’s device.

Over time, the FIDO Alliance has published three different versions of FIDO with the most recent one being the FIDO2 Standard founded on four principles:

    • Security: creating a unique credential that stays on a person’s device without being stored on a server
    • Convenience: enabling easy user authentication with security keys or device capabilities, like fingerprints or face ID
    • Privacy: making each site’s keys unique and untrackable
    • Scalability: leveraging API calls for easy implementation on any website

How Does FIDO Passwordless Work?

FIDO’s technology gives people a way to communicate and verify their identity securely.

The standard identifies two parties to the authentication process:

    • User: person logging into a service
    • Relying party: Organization providing the service

The standard relies on two components:

    • WebAuth: the API
    • Client to Authenticator Protocol 2 (CTAP2): communicates between the service and the device used as the Authenticator, like a mobile phone or laptop

The FIDO authentication process works like this:

    • A user registers a new account, and the relying party creates it.
    • When users connect to the service, it natively uses the WebAuth API.
    • The WebAuth transfers data from the Authenticator device and deposits a public key.
    • The relying party tells the service how to authenticate the user.
    • User goes to the service and the WebAuth API makes the authentication request.
    • The service sends back information, requiring the Authenticator to prove the identity.
    • The data stored on the Authenticator travels through the WebAuth API to prove the identity.

FIDO Is An MFA Technology

At its core, FIDO is nothing more than a streamlined, automated MFA process. The FIDO technology replaces the password with the WebAuth and CTAP2 communications between the device and the application.

Instead of people inputting a password when they connect to a service, the WebAuth public key acts as the first point of proof. When the WebAuth requires the device to prove the identity, the FIDO technology automates the other two processes:

    • Something you have: The authenticator device
    • Something you are: Assuming the user locks the device behind a fingerprint or face ID

How to Strengthen Security with MFA

Companies with legacy technologies can and should still implement MFA within their organizations. The push for zero trust architectures (ZTA) is primarily based on the need to build a foundation of security that questions all users’ identities prior to granting them access to applications, networks, and systems. In May 2021, the Executive Order on Improving the Nation’s Cybersecurity specified that Federal Civilian Executive Branch (FCEB) agencies needed to implement MFA.

To establish and enforce MFA, all you need is a channel that delivers the challenge question to the users, requiring them to have access to a device that you know they own. This gives you two-factor authentication because they can prove:

    • Something they know: the password
    • Something they have: the device registered to them

Text/SMS

After users input their password, people receive a code on their smartphone or mobile device. In some cases, the application sends the code automatically. However, sometimes, the person needs to actively request it. In an enterprise deployment, automating the process streamlines login and enables productivity.

However, you should be aware that malicious actors use MFA fatigue attacks to bypass your security. In an MFA fatigue attack, threat actors continue to attempt logging into an account which prompts the MFA challenge. When users become overwhelmed by the repeated prompts, they may simply approve the access to stop the notifications.

Email

Email prompts work the same way as text/SMS notifications. When users input their password, they need to check their email for the code that proves their identity.

Threat actors can bypass email MFA through MFA fatigue attacks or by compromising the user’s email address.

Authentication Applications

Many providers now offer authentication applications. To use authentication applications, users need to download the app to their devices. The first time they log into a service, it generates a secret key that gets saved to the authentication application. Whenever the person logs into their account, the service sends a push notification. The user either needs to input the code generated or click an “approve” notification to complete the login. With an authenticator application, you can set an expiration time so that if the person waits too long to respond, they need to get a new code delivered or restart the login process.

Some examples of authentication applications include:

    • Microsoft Authenticator
    • Google Authenticator
    • Sophos Authenticator
    • Duo Mobile

Authentication apps are less risky than email, text, or SMS. However, they can still be used as an MFA fatigue attack vector.

One Time Password (OTP)

With this method, users input their email when they log into the service, then need to check that email address for the OTP.  With an OTP, you can set an expiration time for an additional security layer.

Since using an OTP requires someone to check their email, these still pose a risk if a threat actor gains control of the account. Additionally, the multiple authentication steps can negatively impact productivity when people regularly log into the service.

Magic Link

Similar to an OTP, users input their email address during login then check their email to get a link that grants access. On the backend, the application generates a token for the magic link then forwards to the user. When users open the email, all they have to do is click the link to authenticate to the service.

The potential risks that magic links pose are the same as those for OTPs. If threat actors control the email address, then they can bypass the security feature. Further, like OTPs, they become cumbersome when users regularly access or log into a service.

Choosing the Right MFA

While implementing MFA is critical to your security posture, no single technology is perfect. Every option comes with its own set of benefits and costs. Understanding your company’s unique business and security needs is critical when making these decisions.

Partnering with Securicon’s experts enables you to leverage our years of security experience so that you can make the decision that’s right for your organization. We built our architecture designs and security policies around insights gained in the field, providing you with findings and recommendations based around demonstrated facts. We respond to customers’ unique environments, including working with legacy technologies, to recommend and develop the smart alternatives that mature your security and compliance postures.

 

Contact us to learn more.