Top 10 Cloud Security Best Practices

George Mutune

-

September 17, 2019

These 10 esential cloud security best practices are essential for any organization that is moving to the cloud. Overlooking any of these practices could lead to a security disaster.

Cloud computing has indeed revolutionized the business and technological landscapes. Today, it is unheard of that any serious company would prefer onsite IT infrastructure to cloud services. Simply defined, cloud computing is a technology consisting of networked remote servers. Service providers use the network to provide cloud consumers with data storage units and computational software programs for processing and managing data. An internet connection provides access to cloud technologies, meaning that users can access them from their workplaces or the comfort of their houses.

Currently, at least 90% of organizations use different cloud services, whereas experts indicate that companies will run 60% of their operations in the cloud by the end of 2019.¹ This shows that cloud technology is already mainstream. However, cloud services are online-based, and this has caught the attention of all hackers. Increased dependence on cloud services to store and manage sensitive data is enough motivation for attackers. All companies and users, therefore, need to understand the best security practices to ensure they adequately protect their cloud environments. Here are the top ten internationally accepted cloud security practices.

Cloud Security Best Practices #1: Securely manage your data

Data security should be the topmost concern of all cloud users. To achieve optimum data protection, first, identify data with the most classified information. Highly sensitive data require stronger security. Some would, however, prefer applying high-level security to all cloud data. This might not be sufficient due to factors like data size and format, i.e., audio, visual, print, etc. Besides, information like patents and intellectual property cannot be secured the same way as business ledgers. Or personally identifiable information, for that matter. Some types of data must be protected at all costs due to their value and importance to the organization. A data classification software can assist in determining the data requiring stronger security.

Then, implement a comprehensive security solution. It should be capable of locating sensitive information in the company’s network, databases, endpoints, and cloud storage units. The solution should provide security but not at the expense of flexibility and data access. As much as this is true, the data access and storage procedures should be a priority. A Cloud 2019 Adoption and Risk Adoption Report by McAfee shows that 21% of data managed in the cloud has sensitive content.² All cloud service providers, including Office 365 and Salesforce, don’t guarantee the data will be 100% secure. It is hence, essential to continually review and update access permissions associated with the data. Some instances might require a business to remove or quarantine highly sensitive data.

Also, a company must enforce strict data sharing policies. In 2019, there has been a 50% increase in the sensitive data shared through the cloud.³ The risks of malicious insiders or hackers accessing and stealing or corrupting cloud data are too high. In spite of whether a company has applied powerful mitigation strategies, it must establish sufficient access controls for any data stored and accessed through the cloud. For instance, users requiring to edit data might be fewer than those needing to view it. As such, access controls should be tailored to suit the permissions for each employee.

More importantly, banking on the cloud provider’s data encryption techniques would be a grave mistake. Although the offered encryptions prevent unauthorized users from accessing the data, the service providers can access the encryption keys and decrypt it at any time. As such, full access control means deploying stringent encryptions and using adequate public key infrastructures.

Cloud Security Best Practices #2: Implement endpoint security

Using the services or applications of a particular cloud provider doesn’t disregard the need for using robust endpoint security. Endpoint protection means securing end-user devices, such as laptops, desktops, and mobile devices. Companies need to protect endpoints to their corporate networks and for devices used to access their cloud accounts. This is because they serve as access points to all cloud processes, and malicious actors can exploit them at any time. Enhancing endpoint security allows a company to prevent risky activities that can provide entry points. Besides, enforcing endpoint protection and compliance as per existing data security regulations enables a business to maintain stronger control.

Notwithstanding, endpoint protection affects cloud security due to the growing access points to a cloud. Increasingly, organizations improve their operations by incorporating practices for accessing data more fluidly. For example, they implement BYOD (Bring Your Own Device) policies where employees can use their personal devices to access and modify cloud data. The devices require adequate endpoint security such that they can’t provide hackers with easy targets for stealing or corrupting data. Such include using VPNs when accessing cloud accounts via a public Wi-Fi network.

Furthermore, cyber adversaries nowadays prefer to breach a network or data security through endpoints. This is unlike in the past, where most breaches were done through a network. As a result, depending on a centralized network security solution may be insufficient. The increased used of the Internet of Things in managing cloud activities comes with increased risks since they also grow the possible entry points. A growing reference for breaching security through endpoints requires more focus on endpoint security.

But what are the various solutions that can enable a cloud user to maintain optimum security? The first and most basic is using password protection. All users need to secure their devices with strong passwords to prevent malicious users from accessing. Also, employees should avoid sharing the devices used for work reasons. An innocent user can accidentally delete all data stored in the cloud. More so, all devices should contain malware scanning tools to scan USB sticks or hard drives before they connect to a corporate network. This lowers the risks of a hackler introducing malware through endpoints.

Cloud Security Best Practices #3: Carefully choose the cloud vendors

All cloud service providers try their best to enforce cloud security measures to attract more customers. Some vendors may even contain better security compared to the one which in-house staff maintains. However, some may claim to have the best protection as a marketing tag while in the real sense, they have poor security schemes. To this end, Chief Information Security Officers (CISOs) of every organization have the responsibility of assisting their employers in using the most secure vendors. Some companies may even need to use vendors that implement security policies to mitigate industry-specific threats.

To choose the most secure cloud providers, organizations can use various factors to assess their security capabilities. Such include evaluating their levels of compliance with various information compliance standards. Different regulations, including GDPR and HIPAA, advocate for organizations to implement different requirements, all aimed at achieving data security. To ensure cloud service providers are fully compliant, a business should require them to produce compliance certifications. Certification means the providers satisfy all requirements of a compliance audit. Also, cloud vendors should demonstrate they can ensure 24/7 data and network availability. Data drives critical operations; thus, cloud providers should maintain multiple backups.

Additionally, a company should only subscribe to a cloud provider that conducts regular risk assessments. Assessing their servers and IT infrastructure for security risks enables cloud providers to apply mitigation strategies before hackers can exploit them. Risk assessment and management is a crucial cybersecurity operation that every cloud provider should observe. Lastly, an organization needs to use the services of a cloud vendor that indicates the customer’s responsibility in matters of security. Cloud security is a collaborative process where both the providers and the customers must play their roles to ensure optimum safety. For instance, a cloud provider should install timely patches to prevent attacks such as zero-day attacks. Customers, on the other hand, should develop security policies governing access, sharing, and modification of cloud data.

Cloud Security Best Practices #4: Monitor and prevent

As previously mentioned, the consumers and cloud service providers have different roles when securing cloud activities. They also share the responsibilities for monitoring and responding to suspicious cloud security problems. The cloud vendors monitor the security of infrastructures they use to provide services to cloud consumers. On the other hand, the customer monitors the applications and systems various users use to access the services. Also, service providers tend to provide customers with monitoring information relating to the services they use. Relying on the monitoring information can enable a company to implement measures for detecting incidences of unauthorized access. They can also use the information to monitor for unexpected behavioral changes in regards to a user’s interaction with cloud data and applications.

It is also vital that a company implements additional monitoring that fully integrates with cloud automation. Cloud providers implement automation schemes such as autoscaling to provide users with round the clock access to more resources as per their needs. Implementing integrative monitoring provides 100% visibility onto all cloud resources. As a result, consumers can quickly detect unusual occurrences and address them to prevent security problems.

Besides, as with all other operations, collaboration is critical. Cloud vendors monitor IT infrastructure used to provide services and computation resources. Such include entire SaaS applications, networks, IaaS like storage units, and virtual machines. The service providers may detect activities that could adversely impact a consumer’s cloud data or applications. In effect, the provider may need to inform a customer of the activities so that they can coordinate an adequate response.
Similarly, a cloud user may detect other activities that they cannot address without the input of the service provers. Responding to any security event requires both providers and consumers to share the responsibilities. Effective collaboration means understanding the limits of a cloud provider in monitoring and responding to security incidences, such that a provider cannot be caught unawares.

Cloud Security Best Practices #5: Conduct due diligence

Cloud consumers need to understand the applications and networks of their cloud providers fully. Understanding them can enable a company to provide resiliency, security, and functionality for systems and applications deployed in the cloud. As such, they must perform due diligence across all lifecycles of deployed systems or applications. During the planning phase of a cloud migration, companies should select suitable cloud applications or service providers to move to. Benchmarking on other organizations that use the services of a particular cloud provider can provide valuable information. First-time cloud deployments can use the information to determine if a service provider implements security policies that meet their needs.

Also, a cloud consumer should always use the provider’s guidance and documented best practices for using applications and provided services. For example, developing a cloud-based application should follow the cloud service provider’s guidelines and security practices. Also, when migrating to an already implemented cloud system or application, reviewing its documentation and collaborating with the vendor can provide insightful information on how to securely use it.

More importantly, cloud providers abstract service to optimize resource usage and access. Abstracted services might resemble physical applications, networks, and hardware. Consumers need to understand that abstracted services or resources have different security practices or policies compared to those implemented on physical resources. Before subscribing to their usage, organizations can observe security by reviewing and understanding security approaches implemented on the virtual resources. These should guide the processes through which users access them.

Besides, deploying or developing applications for cloud use must need companies to enforce policies to ensure users operate them securely. In contrast to physical resources like disks, networking devices, and servers, cloud consumers use software to interact with virtualized resources. Software security practices like patch management and vulnerability testing should, therefore, guide all cloud-access activities.

Cloud Security Best Practices #6: Implement intrusion detection and prevention systems

A survey from CloudPassage indicates that intrusion prevention and detection systems are the third most effective solutions for cloud security.⁴ The systems monitor cloud and corporate networks for intrusion signs and prevent unauthorized access. Additionally, they immediately alert a security administrator of the attempts, thus allowing the deployment of mitigation solutions. More so, intrusion detection and prevention systems are capable of implementing responses to intrusion attempts. Such responses include preventing and blocking access from the source of the attempted intrusion.

Also, an organization can consider implementing artificially intelligent prevention and detection systems. Artificial intelligence learns the behaviors of all user-activities accessing a particular cloud environment. For example, it builds knowledge of the types of data an employee uses frequently and the types of cloud resources the employee requests. Hence, whenever a new user performs unusual activities, the system flags him down as a malicious entity, preventing him from accessing any more requests. As such, the intrusion risks of a malicious insider assuming the identity of a legitimate user are minimized.

Furthermore, intrusion detection and prevention systems minimize the number of generated false positives. These are false alerts that a system raises as intrusion alerts. False positives can be due to the assignment of new roles to a user, which can lead to an intrusion prevention and detection system alerting as suspicious activities. False positives can cause a company to invest in unnecessary measures as the alerts turn out to be false security alerts.

Cloud Security Best Practices #7: Define cloud usage policies for all employees

Although organizations implement a corporate strategy for securely using cloud accounts, employees tend to utilize the clouds without adhering to the implemented strategies. For example, they might fail to inform the relevant stakeholders when they transfer or modify cloud data. Therefore, monitoring their usage activities is a crucial aspect of maintaining cloud security. Monitoring provides a clear picture of the services or resources a particular employee accesses and their usage patterns. Users with suspicious cloud usage activities can be denied access to ensure they don’t introduce security risks to cloud data and applications.

To determine the risk levels a particular user poses to cloud security, an organization can assess the network firewalls, logs captured in the security information and event management system, and web proxies. Then, the assessment results can enable security personnel to obtain the value of the risk levels towards organizational security. The obtained values can help determine whether a particular user should have complete or partial access to an organization’s cloud accounts.

Furthermore, cloud consumers must understand that that shadow usage not only refers to unauthorized access to cloud services using endpoints, but it also entails moving data from trusted environments to unmanaged devices. Such practices endanger data security and threaten to impact data availability, integrity, and confidentiality. As such, a data officer should authorize data movement within the cloud and keep track of the data accessed from a particular endpoint.

#8: Maintain a safe list

Most employees within an organization use cloud services to meet the company’s goals and objectives. However, a few employees often use organizational clouds for their gains. Using cloud services for dubious services places a company danger of the cloud’s security being compromised or facing legal tussles due to compliance issues. As such, a business should develop and maintain a safe list for all the services employees can access through their cloud accounts. Enforcing the list and ensuring employees are aware of minimizes issues arising from compliance penalties or insecure practices.

In any case, establishing a safe list enables an organization to specify the data each employee can access. It also ensures an employee understands the data permitted to be processed through the cloud. Creating such awareness leads to effective data management as all users are aware of the data they can use or share through cloud platforms. Similarly, a safe list provides all cloud users with a list of applications they can use in a cloud environment. Lastly, a safe list provides a clear outline of the security practices to observe when interacting with cloud data or applications.

#9: Trust users, but verify

Cloud consumers should adopt additional verification procedures to supplement other security practices like password protection. Verification schemes protect a cloud environment from malicious activities perpetrated by malicious users assuming the identity of the legitimate users. An effective verification scheme is the use of two-factor or multi-factor authentication. The authentication mechanisms require cloud users to provide additional items of proof that they have authorized access to cloud data. Such items can include a code sent to a trusted mobile number or the answer to a security question only known to the user. Such provide a strengthened cloud security posture.

In addition to the different authentication mechanisms, a company must ensure that authenticated users have the authority to access and interact with cloud data. Whereas an employee might pass a verification process, he might lack the permissions to access particular types of data and cloud applications. Several access controls can be used, including least privilege access, role-based access, among others. Organizations should control data access to eliminate risks associated with unauthorized access. Investigations should be conducted on attempted unauthorized access by tracking the endpoint used in the attempted intrusion.

#10: Regulatory compliance boosts security

A cloud consumer has a role in ensuring full componence with information security regulations. Although many businesses adhere to compliance regulations to avoid non-compliance fines, the security requirements recommended by various standards enhance security. Therefore, implementing the guidelines is an effective way of tackling security issues. More importantly, companies require to understand that the compliance regulations designed for cloud providers differ from those meant for consumers. As such, they shouldn’t fail to adhere to recommended security practices with the notion that cloud providers have already complied.

Moreover, outsourcing compliance responsibilities is not recommended, despite the business functions shifted to the cloud. Also, identifying a cloud provider with a platform that facilitates compliance is a plus for cloud security. This allows a business to fully comply with regulations such as HIPAA, GDPR, PCI DSS, among others. Understanding the compliance aspects can facilitate optimum security of a particular company. Lastly, automating compliance can eliminate the problems associated with tracking new or updated compliances. Automating compliance processes ascertains a cloud consumer keeps track of all regulations such that it covers all security aspects. Various companies develop automated compliance software programs designed to meet all organizational needs. All the recommended practices can assist cloud consumers in achieving maximum security.

1 https://hostingtribunal.com/blog/cloud-computing-statistics/

2 https://www.mcafee.com/enterprise/en-us/solutions/lp/cloud-adoption-risk.html?_ga=2.224418842.1031089963.1568031446-47850940.1568031446

3 https://securingtomorrow.mcafee.com/business/cloud-security/top-19-cloud-security-best-practices/

4 https://www.esecurityplanet.com/network-security/intrusion-prevention-systems.html

23 Top Cybersecurity Frameworks

George Mutune

-

September 1, 2019

0

Many organizations consider cybersecurity to be a priority. The need to implement effective cybersecurity frameworks grows every day. Cybercriminals continuously derive more sophisticated techniques for executing attacks.

This has led to the development of various cybersecurity frameworks meant to assist organizations in achieving robust cybersecurity programs. Therefore, businesses should understand the top cybersecurity frameworks for enhancing their security postures.

Cybersecurity frameworks refer to defined structures containing processes, practices, and technologies which companies can use to secure network and computer systems from security threats. Businesses should understand cybersecurity frameworks for enhancing organizational security. The top cybersecurity frameworks are as discussed below:

1. ISO IEC 27001/ISO 27002¹ ²

The ISO 27001 cybersecurity framework consists of international standards which recommend the requirements for managing information security management systems (ISMS). ISO 27001 observes a risk-based process that requires businesses to put in place measures for detecting security threats that impact their information systems.

To address the identified threats, ISO 27001 standards recommend various controls. An organization should select proper controls that can mitigate security risks to ensure it remains protected from attacks. In total, ISO 27001 advocates 114 controls, which are categorized into 14 different categories.Some of the categories include information security policies containing two controls; information security organization with seven controls that detail the responsibilities for various tasks; human resource security category with six controls for enabling employees to understand their responsibility in maintaining information security.

On the other hand, the ISO 27002 framework comprises international standards that detail the controls that an organization should use to manage information systems’ security. The ISO 27002 is designed for use alongside ISO 27001, and most organizations use both to demonstrate their commitment to complying with various requirements required by different regulations. Some of the information security controls recommended in the ISO 27002 standard include policies for enhancing information security, controls such as asset inventory for managing IT assets, access controls for various business requirements, managing user access, and operations security controls.

2. NIST Cybersecurity Framework³

The NIST Cybersecurity Framework was developed to respond to the presidential Executive Order 13636. The executive order purpose to enhance the security of the country’s critical infrastructure, thus protecting them from internal and external attacks.

Although the framework’s design aims to secure critical infrastructures, private organizations implement it to strengthen their cyber defenses. In particular, NIST CSF describes five functions that manage the risks to data and information security. The functions are identify, protect, detect, respond, and recover.

The identify function guides organizations in detecting security risks to asset management, business environment, and IT governance through comprehensive risk assessment and management processes. The detect function defines security controls for protecting data and information systems. These include access control, training and awareness, data security, information protection procedures, and maintaining protective technologies. Detect provides guidelines for detecting anomalies in security, monitoring systems, and networks to uncover security incidences, among others. The response function includes recommendations for planning responses to security events, mitigation procedures, communication processes during a response, and activities for improving security resiliency. Lastly, the recovery function provides guidelines that a company can use to recover from attacks.

3. IASME Governance⁴

IASME governance refers to cybersecurity standards designed to enable small and medium-sized enterprises to realize adequate information assurance. The IASME governance outlines a criterion in which a business can be certified as having implemented the relevant cybersecurity measures.

The standard enables companies to demonstrate to new or existing customers their readiness to protect business or personal data. In short, it is used to accredit a business’s cybersecurity posture.

The IASME governance accreditation is similar to that of an ISO 27001 certification. However, implementing and maintaining the standard comes with reduced costs, administrative overheads, and complexities. IASME standards certification includes free cybersecurity insurance for businesses operating within the UK.

4. SOC 2⁵

The American Institute of Certified Public Accountants (AICPA) developed the SOC 2 framework. The framework’s purpose to enable organizations that collect and store personal customer information in cloud services to maintain proper security.

The framework also provides SaaS companies with guidelines and requirements for mitigating data breach risks and strengthening their cybersecurity postures. Also, the SOC 2 framework details the security requirements to which vendors and third parties must conform. The requirements guide them in conducting both external and internal threat analyses to identify potential cybersecurity threats.

SOC 2 contains 61 compliance requirements, which makes it among the most challenging frameworks to implement. The requirements include guidelines for destroying confidential information, monitoring systems for security anomalies, procedures for responding to security events, internal communication guidelines, among others.

5. CIS v7⁶

The body responsible for developing and maintaining the CIS v7 framework is the Center for Information Security (CIS). CIS v7 lists 20 actionable cybersecurity requirements meant for enhancing the security standards of all organizations.

Most companies perceive the security requirements as best practices since the CIS has a credible reputation for developing baseline security programs.

The framework categorizes the information security controls into three implementation groups. Implementation group 1 is for businesses that have limited cybersecurity expertise and resources. Implementation group 2 is for all organizations with moderate technical experience and resources in implementing the sub controls, whereas implementation group 3 targets companies with vast cybersecurity expertise and resources.

CIS v7 stands out from the rest since it enables organizations to create budget-friendly cybersecurity programs. It also allows them to prioritize cybersecurity efforts.

6. NIST 800-53 Cybersecurity Framework⁷

The National Institute of Standards and Technology created the NIST 800-53 publication for enabling federal agencies to realize effective cybersecurity practices.

The framework focuses on information security requirements designed to enable federal agencies to secure information and information systems. Besides, NIST 800-53 provides governmental organizations with the requirements to comply with FISMA (Federal Information Security Management Act) requirements. NIST 800-53 is unique as it contains more than 900 security requirements, making it among the most complicated frameworks for organizations to implement.

The requirements recommended in the framework include controls for enhancing physical security, penetration testing, guidelines for implementing security assessments, and authorization policies or procedures, among others. NIST 800-53 is a useful framework for organizations maintaining federal information systems, companies with systems that interact with federal information systems, or institutions seeking FISMA compliance.

7. COBIT⁸

COBIT (Control Objectives for Information and Related Technologies) is a cybersecurity framework that integrates a business’s best aspects to its IT security, governance, and management. ISACA (Information Systems Audit and Control Association) developed and maintains the framework.

The COBIT cybersecurity framework is useful for companies aiming at improving production quality and, at the same time, adhere to enhanced security practices.

The factors that led to creating the framework are the necessity to meet all stakeholder cybersecurity expectations, end-to-end procedure controls for enterprises, and the need to develop a single but integrated security framework.

8. COSO⁹

COSO (Committee of Sponsoring Organizations) is a framework that allows organizations to identify and manage cybersecurity risks.

The core points behind the framework’s development include monitoring, auditing, reporting, controlling, among others. Also, the framework consists of 17 requirements, which are categorized into five different categories. The categories are control environment, risk assessments, control activities, information and communication, and monitoring and controlling.

All of the framework’s components collaborate to establish sound processes for identifying and managing risks. Using the framework routinely identifies and assesses security risks at all organizational levels, thus improving its cybersecurity strategies.

Also, the framework recommends communication processes for communicating information risks and security objectives up or down in an organization. The framework further allows for continuous monitoring of security events to permit prompt responses.

9. TC CYBER¹⁰

The TC CYBER (Technical Committee on Cyber Security) framework was developed to improve the telecommunication standards across countries located within the European zones.

The framework recommends a set of requirements for improving privacy awareness for individuals or organizations.

It focuses on ensuring that organizations and individuals can enjoy high privacy levels when using various telecommunication channels. Moreover, the framework recommends measures for enhancing communication security.

Although the framework specifically addresses telecommunication privacy and security in European zones, other countries worldwide also use it.

10. HITRUST CSF¹¹

HITRUST (Health Information Trust Alliance) cybersecurity framework addresses the various measures for enhancing security.

The framework was developed to cater to the security issues organizations within the health industry face when managing IT security. This is through providing such institutions with efficient, comprehensive, and flexible approaches to managing risks and meeting various compliance regulations.

In particular, the framework integrates various compliance regulations for securing personal information. Such include Singapore’s Personal Data Protection Act and interprets relevant requirement recites from the General Data Protection Regulation.

The HITRUST cybersecurity framework is regularly revised to ensure it includes data protection requirements specific to the HIPPA regulation.

11. CISQ¹²

CISQ (Consortium for IT Software Quality) provides security standards that developers should maintain when developing software applications.

Additionally, developers use the CISQ standards to measure the size and quality of a software program. CISQ standards enable software developers to assess the risks and vulnerabilities present in a completed application or one under development. As a result, they can efficiently address all threats to ensure users access and use secure software applications.

The vulnerabilities and exploits which the Open Web Application Security Project (OWASP), SANS Institute, and CWE (Common Weaknesses Enumeration) identify form the basis upon which the CISQ standards are developed and maintained.

12. Ten Steps to Cybersecurity¹³

The Ten Steps to Cybersecurity is an initiative by the UK’s Department for Business. It provides business executives with a cybersecurity overview. The framework recognizes the importance of providing executives with knowledge of cybersecurity issues that impact business development or growth and the various measures to mitigate such problems.

This is to enable them to make better-informed management decisions about organizational cybersecurity. The framework uses broad descriptions but with lesser technicalities to explain the various cyber risks, defenses, mitigation measures, and solutions, thus enabling a business to employ a company-wide approach for enhancing cybersecurity.

13. FedRAMP¹⁴

FedRAMP (Federal Risk and Authorization Management Program) is a framework designed for government agencies. The framework provides standardized guidelines that can enable federal agencies to evaluate cyber threats and risks to the different infrastructure platforms and cloud-based services and software solutions.

Furthermore, the framework permits the reuse of existing security packages and assessments across various governmental agencies.

The framework is also based on the continuous monitoring of IT infrastructure and cloud products to facilitate a real-time cybersecurity program. More importantly, FedRAMP focuses on shifting from tedious, tethered, and insecure IT to more secure mobile and quick IT. The aim is to ensure federal agencies have access to modern and reliable technologies without compromising their security.

To achieve the desired security levels, FedRAMP collaborates with cloud and cybersecurity experts to maintain other security frameworks. These include NSA, DoD, NIST, GSA, OMB, and other private sector groups.

The main goals of FedRAMP are to accelerate cloud migrations by reusing authorizations and assessments, enhance confidence in cloud security, ensure that federal agencies consistently apply recommended security practices, and increase automation for continuous monitoring.

14. HIPAA¹⁵

HIPAA (Health Insurance Portability and Accountability Act) contains various guidelines for enabling organizations to implement sufficient controls for securing employee or customer health information.

HIPAA standards also require healthcare organizations to comply since they collect and store health information for all patients. The standards comprise different security requirements that need organizations to demonstrate a clear understanding of how to implement and use them.

Such requirements include training employees at all levels on the best practices for collecting and storing health data. Besides, HIPAA requires companies to create and maintain appropriate procedures for conducting risk assessments. The process should also include methods for managing identified risks.

15. GDPR¹⁶

GDPR (General Data Protection Regulation) is one of the latest frameworks enacted to secure personally identifiable information belonging to European citizens.

The regulation framework provides a set of mandatory security requirements that organizations in different parts of the world must implement. As such, it is a global framework that protects the data of all EU citizens. Non-compliance leads to huge penalties, and this has caused most companies to comply with the requirements.

GDPR requirements include implementing suitable controls for restricting unauthorized access to stored data. These are access control measures such as least privilege and role-based access controls and multi-factor authentication schemes. Organizations or websites must also acquire a data owner’s consent before using data for reasons such as marketing or advertising. Data breaches that result from a company’s inability to implement security controls amount to non-compliance.

16. FISMA¹⁷

FISMA (Federal Information Systems Management Act) is a cybersecurity framework designed for federal agencies. The compliance standard outlines a set of security requirements that government agencies can use to enhance their cybersecurity posture.

The security standards aim to ascertain that federal agencies implement adequate measures to protect critical information systems from different types of attacks. Moreover, the framework requires vendors or third-parties interacting with a government agency to conform to the stipulated security recommendations.

The security standard’s main aim is to enable federal agencies to develop and maintain highly effective cybersecurity programs. To achieve this, the standard consists of a comprehensive cybersecurity framework with nine steps for securing government operations and IT assets. These are:

Categorizing information to security levels
Identify minimum security controls for protecting information
Refine the controls by using risk assessments
Document the controls and develop a security plan
Implement required controls
Evaluate the effectiveness of implemented controls
Determine security risks to federal systems or data
Authorize the use of secure information systems
Continuous monitoring of implemented controls.

17. NY DFS¹⁸

NY DFS (New York Department of Financial Services) is a cybersecurity framework covering all institutions operating under DFS registrations, charters, or licenses.

The framework consists of several cybersecurity requirements that can enhance financial organizations’ security postures and the third parties they interact with for different businesses.

Among others, NY DFS requires organizations to identify security threats that can affect their networks or information systems. Also, the framework necessitates companies to adopt sufficient security infrastructure for protecting all IT assets from the identified risks. Notwithstanding, organizations covered by the NY DFS must implement systems for detecting cybersecurity events.

18. NERC CIP¹⁹

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is a cybersecurity framework that contains standards for protecting critical infrastructures and assets.

In total, the framework has nine standards comprising of 45 requirements. For example, the sabotage reporting standard requires an electric organization to report unusual occurrences and security disturbances to relevant bodies.

The critical cyber asset identification standard makes it mandatory for an entity to document all cyber assets considered critical. Also, personnel and training standard requires employees with access to critical cyber assets to complete security and awareness training. Other standards included in the NERC CIP framework are electronic security perimeter, incident response, managing systems security, and maintaining recovery plans.

19. SCAP²⁰

SCAP, or Security Content Automation Protocol, is a regulation standard containing security specifications for standardizing the communication of security products and tools.

The specification aims to standardize the processes through which security software programs communicate security issues, configuration information, and vulnerabilities. Through the standardized specifications, SCAP intends to enable a company to measure, express, and organize security data using universal criteria and formats.

The security software can allow a business to maintain enterprise security by utilizing processes such as verifying and installing security patches automatically. Others are testing and verifying the security configurations of implemented systems and investigating incidences that can compromise the system or network security.

20. ANSI²¹

The ANSI (American National Standards Institute) framework contains standards, information, and technical reports which outline procedures for implementing and maintaining Industrial Automation and Control Systems (IACS).

The framework applies to all organizations that implement or manage IACS systems. The framework consists of four categories as defined by ANSI.

The first category contains foundational information like security models, terminologies, and concepts. The second category addresses the aspects involved in creating and maintaining IACS cybersecurity programs. The third and fourth categories outline requirements for secure system integration and security requirements for product development.

21. NIST SP 800-12²²

The framework provides an overview of control and computer security within an organization.

Also, NIST SP 800-12 focuses on the different security controls an organization can implement to strengthen cybersecurity defense. Although most of the control and security requirements were designed for federal and governmental agencies, they are highly applicable to private organizations seeking to enhance their cybersecurity programs.

NIST SP 800-12 enables companies to maintain policies and programs for securing sensitive IT infrastructure and data.

22. NIST SP 800-14²³

NIST SP 800-14 is a unique publication that provides detailed descriptions of commonly used security principles. The publication enables organizations to understand all that needs to be included in cybersecurity policies.

As a result, businesses ensure to develop holistic cybersecurity programs and policies covering essential data and systems. Besides, the publications outline specific measures that companies should use to strengthen already implemented security policies. In total, the NIST SP 800-14 framework describes eight security principles with a total of 14 cybersecurity practices.

23. NIST SP 800-26²⁴

Whereas the NIST SP 800-14 framework discusses the various security principles used to secure information and IT assets, NIST SP 800-26 provides guidelines for managing IT security.

Implementing security policies alone cannot enable a company to realize optimum cybersecurity since they require frequent assessments and evaluations. For example, the publication contains descriptions for conducting risk assessments and practices for managing identified risks.

It is an instrumental framework that ensures organizations maintain effective cybersecurity policies. A combination of different NIST publications can ensure businesses maintain adequate cybersecurity programs.

1 https://www.iso.org/isoiec-27001-information-security.html

2 https://www.iso27001security.com/html/27002.html

3 https://www.nist.gov/cyberframework

4 https://www.iasme.co.uk/audited-iasme-governance/

5 https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html

6 https://www.cisecurity.org/c ontrols/

7 https://nvd.nist.gov/800-53

8 http://www.isaca.org/cobit/pages/default.aspx

9 https://www.coso.org/Pages/default.aspx

10 https://www.etsi.org/cyber-security/tc-cyber-roadmap

11 https://hitrustalliance.net/hitrust-csf/

12 https://www.it-cisq.org/

13 https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

14 https://www.fedramp.gov/

15 https://www.hhs.gov/hipaa/index.html

16 https://gdpr-info.eu/

17 https://www.dhs.gov/cisa/federal-information-security-modernization-act

18 https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf

19 https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf

20 https://www.open-scap.org/features/standards/

21 https://www.ansi.org/

22 https://csrc.nist.gov/CSRC/media/Publications/sp/800-12/rev-1/draft/documents/sp800_12_r1_draft.pdf

23 https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=890092

24 https://csrc.nist.gov/publications/detail/sp/800-26/archive/2001-11-01

Ten Essential Cybersecurity Controls

Cybersecurity

George Mutune

-

August 22, 2019

0

Cybersecurity controls are essential because hackers constantly innovate smarter ways of executing attacks, aided by technological advancements. In response, organizations have to implement the best safeguards to strengthen their security postures. Developing a holistic approach entails adhering to international standards, complying with various regulations, and deploying defense-in-depth strategies.

Cybersecurity controls are the countermeasures that companies implement to detect, prevent, reduce, or counteract security risks. They are the measures that a business deploys to manage threats targeting computer systems and networks. The controls keep on changing to adapt to an evolving cyber environment. As such, every organization requires to understand the best controls suitable for addressing their security concerns. But first, it is essential to understand the appropriate controls to ensure effectiveness.

The following guideline enables businesses to determine adequate cybersecurity controls.

1. Assess the size of the organization

First, the size of the organization should be assessed. The details concerning interconnected systems, employee numbers, network size, etc., should be reviewed. Assessing the size of an organization will assist in decision-making related to financial planning. The assessment will also help identify controls that should be implemented to mitigate existing challenges.

2. Determine the scope of IT infrastructure

A company must identify the IT components that are within the scope of cybersecurity controls. Considering all IT elements, regardless of whether they are contracted or owned, ensures adequate controls implementation. In this context, IT infrastructure consists of applications, information systems, network devices, servers, cloud applications, among others. An assessment would sufficiently guide a company to list all assets within the scope of cybersecurity controls.

3. Determine the security levels of IT assets and information systems

Companies need to identify information systems and IT elements requiring higher levels of security. They should also be able to assign value to various types of information and assets. For instance, personally identifiable information regarding employees or customers might need higher levels of protection. Besides, confidential information such as intellectual properties or competition strategies might need adequate security to prevent attempted breaches. In particular, assessing security levels should relate to integrity, availability, and confidentiality of critical IT systems and information.

A scale of very low, low, medium, and high, with high representing assets requiring the highest security levels, can enable organizations to distribute cybersecurity controls as per need. This not only ensures efficiency in mitigating security challenges; it also assists in budget planning. More finances can be allocated in areas requiring more controls.

4. Confirm investments in cybersecurity

Before planning for the acquisition and implementation of cybersecurity controls, security managers and professionals should confirm cybersecurity investment levels. This is by assessing expenditures allocated to IT security and data protection. Additionally, a company should factor in financials to intangible controls such as training employees.

10 Essential Security controls

In this section, organizations will understand the various controls used to alleviate cybersecurity risks and prevent data breaches. The controls also focus on responding to the attempted cybercrimes to prevent a recurrence of the same. Besides, nowadays, every business should anticipate a cyber-attack at any time. The controls, therefore, establish mechanisms for detecting, responding, and recovering from cyber incidents.

1. Maintain a comprehensive incidence response plan

Hacking and penetration methods have grown to unprecedented heights. Using available technology like artificial intelligence, cyber adversaries can commit stealth cybercrimes. As such, businesses should always expect attempted intrusions at any moment. For this reason, every organization should implement and continuously update a plan for responding to cyber incidences. The program should also consist of measures for recovering from the attack.

Therefore, to actively monitor, detect, and respond to security threats, companies should consider implementing solutions such as security information management systems. Such systems allow security teams to keep track of all activities at the system or network level. In addition to that, organizations should assign responsibilities to security teams. Every individual needs to be aware of their role in responding to cybersecurity incidents.

Notwithstanding, a company should assign individuals with the legal obligation to report any attempted breaches. Other than shielding the organization from legal proceedings for failing to report an incident, reporting invites forensic experts to develop a robust response plan to an incident.

Furthermore, businesses lacking the capacity to handle cybersecurity incidences should maintain a documented plan for engaging external professionals. This should include the personnel discharged to assist with the response and strategies for allocating required resources. All this is to ensure a smooth operation between the organization and outsourced assistance.

2. Patch management lifecycle

As is the norm today, every business depends on technology to accomplish its objectives. Some organizations are so reliant on IT support that its absence would cause many losses. Due to this, companies implement varying technologies from different vendors, thus providing a criminal with increased entry points. Besides, some items, either hardware or software, may contain security vulnerabilities. Hackers usually exploit the vulnerabilities to gain system access and to execute attacks. It is hence necessary for an organization to observe a strict patch management lifecycle.

Most vendors release patch updates for firmware and software regularly. This is to address security defects and existing or emerging vulnerabilities. Hence, businesses should ensure to install new patch updates as soon as vendors release them. Timely installation prevents zero-day attacks, where hackers exploit vulnerabilities before vendors can notice them.

The patch management method depends on an organization’s scope of IT infrastructure. Large organizations can find it difficult and expensive to manually keep track of vulnerabilities present in devices spread across the network. To counter this, such companies can adopt effective practices for reducing risks. For example, implementing an automated patch management system can identify vulnerabilities as soon as they emerge and available patches for mitigating them. On the other hand, smaller organizations should apply automatic updates for all software products. Systems automatically install updates as soon as they become available.

3. Apply antivirus solutions

Antivirus solutions consist of one of the most readily available security controls. Almost all operating systems come installed with antivirus products. Antivirus products like Malwarebytes, McAfee, or Windows Security Center provide sufficient measures for detecting and eliminating malware threats. Cyber actors trick system users into installing different malware families, including spyware, ransomware, worms, and trojan horses. All types of programs developed to harm a system fall into one of the various malware families.

Once an organization implements an effective antivirus product, it denies hackers the ability to execute attacks through malicious programs. Antiviruses continuously scan a system for harmful programs and eliminates them before they can cause any damages. However, a business must implement all updates to ensure the implemented security software contains an updated threat database. Cybercriminals create new malware every day, and rolling out updates ascertains the ability of antivirus solutions to protect a system.

4. Implement perimeter defense

Perimeter defenses allow an organization to protect networks from attacks executed through the internet. Conventional network security controls include firewalls. Firewalls identify suspicious traffic flowing into a network and blocks it from entering. Also, firewalls defend a network from external intrusions attempted through compromising network security. To counter online threats, businesses should establish dedicated firewalls in the boundaries connecting a corporate network to the internet. The firewalls can be a combination of both hardware and software solutions.

Besides, businesses should ensure to activate and accurately configure firewalls pre-installed in operating systems. The configuration metrics include applications allowed to access the corporate networks and those restricted to private networks only. On the alternative, if the available firewall seems inadequate compared to the security environment, then a business can choose to implement alternative firewalls.

Notwithstanding, Domain Name System (DNS) provides organizations with the ability to prevent malicious web domains from connecting to their networks. DNS solutions ensure the security of all devices connected to the corporate network. More so, DNS firewall solutions aids in filtering contents and allows network admins to restrict aces to websites deemed malicious.

Another necessary perimeter defense is using secure connectivity. A company should establish reliable connectivity processes for all concerned online services. For instance, since most businesses today allow employees to work remotely, they should offer them virtual private networks (VPNs). VPNs hide all online user activities such that attackers cannot execute sniffing or eavesdropping attacks. Moreover, most home networks lack the necessary security, and VPNs protect a company from attacks leveraging insecure networks.

Also, perimeter defenses include separating public Wi-Fi from the corporate network. Organizations often provide employees and customers public Wi-Fi, which is, in most cases, insecure. Separating it from the corporate network ensures that malicious individuals cannot use it to compromise the corporate network’s security. Corporate networks contain confidential resources that companies must protect from unauthorized access.

Lastly, businesses with points of sales should conform to the guidelines stipulated by the PCI DSS (Payment Card Industry Data Security Standard) standards. The standards recommend appropriate controls for securing credit card information belonging to a customer. Besides, the standards allow an organization to prevent hackers from compromising PoS terminals and online financial systems. Among other controls, a company can isolate PoS terminals from public and corporate networks.

5. Secure mobile devices

Internet of Things and mobile devices enable organizations to enhance work processes and increase productivity. This has seen many organizations adopt them on large scales. The companies either own the devices, or they maintain policies that allow employees to use their own. Either way, a business must develop appropriate measures for safeguarding company data processed through or communicated the devices.

An essential control includes isolating sensitive company data from personal data. An organization must ensure to provide employees with work accounts such as emails and customized applications. Other solutions, such as applying secure folders or locker functions, can enable employees to protect organizational information, thus achieving information security. Moreover, a company must enforce isolation in a manner that balances both its security and business needs. For instance, ensuring employees use encrypted networks to communicate and share information can achieve both.

Additionally, organizations use mobile devices due to the availability of simple applications capable of completing complex tasks. However, all applications introduce their unique sets of risks. This expands the risk and threat surface. A key control for minimizing the risks requires employees to install applications from trusted stores. Downloading applications from third-party sites may cause users to install apps laden with malware through reverse engineering techniques.

Also, organizations owning sophisticated IT processes should consider implementing solutions that can facilitate enhanced mobile device administration. An example is an Enterprise Mobility Management (EMM) system. Through EMMS, companies can realize enhanced business features and, at the same time, centrally manage mobile devices. EMM solutions may differ in their features, but they provide functions for managing, auditing, and supporting the use of mobile devices. Capabilities may include the ability to wipe the data of stolen or compromised devices remotely.

Besides, cyber actors may execute attacks based on the mobile connectivity of organizational devices. Therefore, companies should enforce policies that ensure users disable automatic connectivity. Hackers use open networks to lure unsuspecting users and install malware on their devices once they connect. Furthermore, businesses should restrict near-field communication (NFC) protocols such as Bluetooth. Cybercriminals can compromise such networks easily; hence, employees should avoid using them to share confidential information.

6. Emphasize employee training and awareness

Training employees on cybersecurity basics can protect organizations from disastrous attacks. It is one of the most crucial control since attackers use system user ignorance to execute attacks. For instance, phishing attacks’ success largely depends on a user’s inability to identify phishing emails. Employee security training provides the first line of defense since practical skills lead to enhanced security posture. To implement an efficient training and awareness program, businesses should focus on easily achievable measures such as the one listed below:

Acquisition and use of approved software programs from legitimate vendors
Efficient password management policies, including secure creation, storage, and sharing
Ability to detect malicious links and attachments contained in spear-phishing emails
Appropriate internet usage, including the list of websites to avoid when connected to the company network
Secure use of social media sites to prevent attacks executed through angler phishing attacks
Proper security configurations

IT vendors create products using default configurations. All software and hardware products retail using default settings, most of which may not provide the required security levels. Default configurations are a considerable security problem for enterprises since they contain insufficient security configurations for preventing attacks. For example, software developers often use the same default password for all products. Attackers can easily guess default configurations, which only simplify their hacktivist and intrusive attempts.

As a result, companies should ascertain to replace or default configurations with more secure ones. Different businesses have different security needs meaning that the implemented settings may not meet all the security expectations. Organizations must then rest administrative passwords and secure all applications using powerful and hard-to-guess passwords. At the same time, a business should review device settings to eliminate defaults, which seem to be insecure. An organization must ensure to enable all necessary security measures and disable unneeded functionalities.

7. Implement power user authentications

One of the leading causes of security incidences among organizations is insider threats. These are threats resulting from employees helping hackers achieve their malicious intent or users committing cybercrimes for their benefits. To accomplish these, malicious users may steal other users’ login credentials and use their accounts to facilitate cybercrimes. This is to cover their traces and pin the crimes on innocent employees. An effective control for mitigating insider threats is implementing strong user authentications.

User authentications are the processes for verifying the legitimacy of a system user. For a user to be authenticated, he has to provide accurate information, including usernames and passwords. A major way of implementing strong user authentication is implementing two-factor or multi-factor authentication. The strategies require users to provide a combination of accurate authenticators. The combination must include a username, a password, and a physical token or code. Multi-factor authentication provides additional security since a user must provide a token or code generated automatically once a user initiates a login session.

Also, securing critical systems using powerful passwords is an effective user authentication method. System administrators should regularly change the passwords to eliminate the possibility of the passwords falling into the wrong hands. Whereas some security protocols require admins to change passwords at the sign of attempted security incidences, it is more effective to stick to a regular password management schedule. Password management policies should take into account factors like password length and reusability.

8. Observe strict access controls

Access control measures build on the security which the user authentication provides. Access control differs in that they are the strategies organizations use to provide authenticated users access to IT resources. A primary function of access controls determines which user can access which resource and at what level. There exist different control measures, and it is the company’s responsibility to choose one that meets its security concerns.

An example is role-based access control. Companies can use the strategy to provide users access depending on their assigned roles. In such a case, a user in the marketing department cannot access resources reserved for users in finance. Role-based access allows network admins to track user activities since it is possible to identify events that led to a security incidence.

A least-privilege access control also allows an organization to protect sensitive resources from unauthorized control. Least-privilege access provides users with the resources they need to accomplish different tasks. For example, a CEO has more access compared to a department manager. It not only prevents unauthorized access, but it has other benefits such as minimizing resource wastage.

Moreover, restricting access to administrative accounts enhances security by preventing unauthorized users from making system changes. Companies should limit administrative accounts to system admins only. Besides, the accounts should only be used for administrative functions. Restricting user-level functions reduces the possibility that employees can use them for activities other than those concerned with administrative processes. Also, to achieve transparency and accountability, businesses should provide employees with their own accounts and enforce password security options.

9. Maintain secure portable devices

Portable devices like USB sticks, SD cards, and hard drives enable users to quickly and conveniently transfer data. Also, some businesses use such media to create and store backups. However, the portable devices have a small physical size such that unauthorized individuals can steal and access confidential information. They introduce significant security challenges in regards to data breaches and integrity or availability preservation.

Although more secure options like cloud technologies provide safer storage, it is almost impossible to restrict their usage. As such, organizations should use portable devices with powerful encryptions. The encryptions protect stored data in the event the media falls into authorized hands. More so, organizations should include asset control procedures that guide the use and disposal of such devices.

10. Securely encrypt and back up data

Data backups and encryption are useful controls that preserve the availability and integrity of data. Although organizations can implement the best security practices, cyberattacks still occur, leading to data theft or data corruption. Backing up data every day prevents such misfortunes and ensures the availability of data to facilitate business continuity.

However, malicious individuals still attempt to access backup data. Companies can protect the data by enforcing encryptions and using multiple external locations to store the data. Cloud technologies, for example, provide a practical choice for storing backup data. Organizations can secure cloud backups using strong passwords and other access control measures.

Before a backup process, a business should identify essential business data and the frequency with which the information changes. This is to inform the data backup lifecycle. Besides, separating sensitive data from public data saves on the costs and time used to create and maintain the backups. Lastly, businesses should develop and continuously update the procedures for accessing and restoring backup data.

Compliance Regulations and the Future of Cybersecurity

George Mutune

-

July 31, 2019

0

Compliance Regulations and the Future of Cybersecurity

Compliance regulations provide organizations with acceptable standards for developing strong cybersecurity programs. Compliance is an important tenet underlying the development and maintenance of information security programs. Different regulations have emerged over the years to address increasing security challenges.

Today, cyber actors are relentless in innovating new security risks, malware, trojans, and programs for compromising organizational security. Also, emerging technologies have always brought along unprecedented security risks. For example, the use of virtual currencies like Bitcoins, Monero, Ethereum, etc., have caused crypto-jacking attacks to rise, edging out attacks like ransomware attacks, which have been dominant for years.

It is, therefore, vital for organizations to understand the current and the future of cybersecurity and how they can best protect themselves from emerging threats. A primary response has been the establishment of international and local regulatory bodies to develop security standards to enable companies to harden their security postures.

A common feature of compliance is that regulations, standards, policies, and legislations are directly influenced by evolving cybersecurity environments. Many organizations thus find it a challenge to maintain acceptable compliance postures.

Current Compliance Regulations

Compliance regulations provide organizations with directives for safeguarding their data and IT systems, and for addressing existing privacy and security concerns. Also, compliance regulations ensure that companies fulfill their obligations to prevent accidental breaches and attacks caused by negligence or the implementation of insufficient security programs.

Most regulations compel organizations to secure their systems through implementing a variety of basic security measures such as firewalls, adequate risk assessments, data encryption technologies, and training employees on secure use and handling of sensitive information.

Whereas some regulations are voluntary, others are mandatory. Consequently, organizations should demonstrate they not only understand them, but they also implement and maintain them accordingly. They should, at any time, produce evidence they are compliant.

Benefits of Compliance Regulations

Business opportunities: compliance regulations are meant to enable companies to secure their systems and observe best practices for protecting data. Potential customers often incline towards businesses that fully comply with existing laws.
Reduced risk: the guidelines and recommendations provided in compliance regulations allows companies to reduce cyber threats as they are tested and accepted internationally.
Avoiding fines and penalties: most compliance regulations are mandatory, and non-compliance leads to hefty penalties. Some, such as the GDPR, may fine organizations millions of dollars. Complying protects a business from such fines, and this is an advantage as far as its finances are concerned.
The rule of law: compliance regulations ensure that all businesses abide by the same rules. Compliance levels the field as enterprises can adopt equal security measures and be assured of adequate security.
Increased efficiency and improved economies of scale: compliance regulations are developed to provide businesses with cost-friendly yet effective security practices. At minimal costs, a business can deploy working security solutions and enjoy the same protection as a fortune 100 company.

Existing Compliance Regulations and Requirements

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a regulation for securing the health data in organizations across all industries. Organizations often collect and store health data of their employees while healthcare institutions interact with patient data daily. Health information is highly sensitive and not subject to disclosure to unauthorized parties. As such, protective measures for securing it must be implemented.

HIPAA compliance regulation contains a set of requirements that each organization must demonstrate a full understanding. HIPAA also requires businesses to implement training programs to equip employees with security and awareness skills. Training staff ensures they are aware of their security responsibilities when accessing information systems that house sensitive health data.

Also, HIPAA requires companies to develop and maintain processes for detecting and preventing instances of security violations. Also, to be HIPAA compliant, an organization should, at all times, conduct risk analysis and assessments to identify security vulnerabilities in their systems.

Implementing steps for managing and reducing identified risks should follow to ascertain information systems and infrastructures are no longer at risk. More so, HIPAA dictates that organizations should create sanction policies for dealing with non-compliant staff members.

FISMA

The Federal Information Systems Management Act (FISMA) was developed to enable federal agencies to secure their information systems. The regulation applies to all partners or contractors that conduct any business with the federal agencies.

The main focus of FISMA regulation is to enable federal agencies to develop awareness and security training programs. The training programs aim to ensure that all users interacting with federal information systems are aware of the security guidelines and practices to adhere to. FISMA requires personnel working either in federal agencies or with the agencies, i.e., contractors, business partners, etc., to participate in the training programs to understand underlying security guidelines and procedures.

Anyone accessing information or the federal information systems information must prove to have completed the training course and fully understands the course material. The personnel must also demonstrate an ability to put into practice the acquired skills and competently apply best practices to secure federal information.

PCI-DSS

Payment Card Industry Data Security Standard (PCI-DSS) is a compliance regulation designed for organizations that deal with credit cards. The compliance standard provides businesses with security guidelines to implement to secure a customer’s financial information.

PCI-DSS impacts businesses that process credit cards which require owners to input sensitive information in online platforms such as eCommerce websites. As a result, there is always a risk that cybercriminals may compromise such platforms, thus providing them with access to sensitive information. PCI-DSS compliant organizations have to implement all the security measures recommended to safeguard such client information.

Some of the requirements of the standard include installing firewalls and configuring them to ensure a business protects the data and information of the cardholder. Also, PCI-DSS guides an organization on how to reset the default security parameters and system passwords of vendor-supplied systems. This is to ensure that new passwords are hard to crack and the security parameters are configured to meet the security needs of the organization.

Also, PCI-DSS regulation tasks organizations with the responsibilities of implementing security measures for encrypting card information relayed over public and insecure networks. Other requirements include adopting access control strategies to restrict unauthorized access to card information and regularly testing the security of systems and processes.

GDPR

General Data Protection Regulation (GDPR) has become immensely popular since it was implemented in 2018. The regulation requires organizations to implement sufficient security protocols for securing personally identifiable information belonging to individuals from European Union zones.

GDPR provision applies to all organizations in the world as long as they handle and process data belonging to an EU citizen. The regulation has compelled many organizations to comply to avoid the hefty fines that come along with non-compliance. Additionally, a company can be fined if insufficient security processes cause a data breach leading to loss or disclosure of personally identifiable information. Google was fined €44 million due to using user data to promote ads.^[1]

GDPR requires companies to notify data owners of any intent of using their data for any reason. An organization must obtain the explicit consent of the data owner or risk being fined heavily. Also, GDPR encourages businesses to implement and maintain mechanisms for securing personal data. These include encryption, password protection, and access control measures. The regulation contains other requirements that purpose to boost data security.

NIST 800-53

The NIST (National Institute of Standards and Technology) publication 800-53 provides federal agencies with guidelines for securing their information systems. Additionally, organizations in the private sector use the same guidelines to harden their cyber defenses. The NIST 800-53 framework provides federal agencies and respective contractors with guidelines they can implement to ensure they comply with FISMA compliance regulations.

The guidelines comprise of various controls which can aid in developing secure information systems that are resilient to cyber-attacks. Some of the proposed measures include the management, technical, and operational safeguards which, when implemented, can preserve the availability, confidentiality, and integrity of information and information management systems.

Besides, NIST 800-53 provides security guidelines based on the security control baseline concept. The concept applies to identifying controls that meet the security needs of an organization. The baselines provide federal agencies and private organizations with considerations such as functional and operational needs, which also include common threats to organizational information systems.

The NIST regulation further observes a tailoring process in which an organization can use to identify the controls that provide security according to the requirements of their information systems. Some of the security controls recommended in the compliance regulation include access control, awareness and training, audit and accountability, configuration management, contingency planning, incident response, personnel security, identification and authentication, and system and communications protection.

Balancing Compliance Regulations and Cybersecurity

Compliance regulations play an integral role in fostering cybersecurity. However, as witnessed with the recent enactment of GDPR (General Data Protection Regulation), many businesses have channeled resources and time in complying with the regulation rather than focusing on proper security guidelines. What’s worse, most regulations become outdated quickly, meaning that organizations will always struggle to be compliant with new standards and regulations.

It is also important to note that cybercriminals have access to the regulations. They will always find a way to work around them to compromise the security guidelines contained in the guidelines. Essentially, companies exhaust finances, human resources, and time on compliance regulations with inherent vulnerabilities instead of focusing on fool-proof cyber defenses.

But what can be done to address such issues in compliance regulations? Well, businesses have the responsibility of investing in the latest defensive trends to counter new threats and attacks. Maintaining multiple regulations to remain compliant without addressing cybersecurity defense can be detrimental to their security. To balance the two areas, that regulations and security, companies should invest in technologies that can achieve both purposes.

An ideal example of an approach that can be explored to resolve this issue is artificial intelligence. AI systems are often used to understand vast quantities of information such as those contained in multiple regulatory compliances. Depending on the security needs of a company, this technology can ensure that it is always compliant with existing and emerging regulations. At the same time, AI has proved useful in developing cybersecurity tools like antivirus solutions and intelligent firewalls and intrusion prevention and detection systems. AI not only allows a company to kill two birds with one stone, but it also provides solutions to other challenges. Such include reducing the cost and labor needed to achieve full compliance and strong cybersecurity.

The Future of Cybersecurity

Recent cyberattacks have resulted in large-scale damages and widespread destruction. In 2017, WannaCry, one of the most significant ransomware attacks to date, hit many countries around the globe. United Kingdom’s National Health was the most affected as the attack crippled healthcare services across major healthcare facilities for close to a week. NotPetya ransomware attack followed in the same period. The incident targeted power and energy companies in Ukraine and oil companies in Russia, causing huge losses and damages.

Such attacks demonstrate why researchers and governments are continuously working towards realizing better defensive strategies to stay a step ahead. However, although a lot is being done to provide working mitigations to rampant cybercrimes, the cyber threat environment will keep changing as new technologies emerge. These will be leveraged in both fighting cybercrimes and in developing more sophisticated attacking patterns.

The entry of 5G Network

Many countries are set to roll out 5G network connectivity and infrastructure convergence. Top among them include South Korea, China, and the United States. Huawei has already released smart TVs in Chinese markets that use 5G networks. Whereas the new network contains many benefits, most of which rely on its super-fast speed, 5G networks are poised to have the biggest challenges in cybersecurity landscapes. 5G networks not only provide faster internet speeds, but they are designed to connect billions of new devices every year in the future.

The devices will utilize the internet to run critical infrastructure and applications using internet speeds that are at least 1000 times faster compared to current internet speeds.^[2] As a result, new architectures will emerge, and they will be used to connect whole geographic locations and communities, industries, and critical infrastructures. At the same time, the 5G networks will significantly alter cyber threat landscapes. Most of the attacks perpetrated today are financially motivated but without causing real and physical damages to infrastructures or locations.

With 5G networks, cyber-attacks might cause severe physical destruction that might destabilize a country’s economy or cause wanton loss of life. Worse still, such attacks will be executed using the same quick 5G speeds, such that it will almost be impossible to detect and prevent them before they occur.

Moreover, 5G networks will enable cyber adversaries to discover vulnerabilities and exploit them to execute attacks instantly. Now, despite this being similar to the techniques used today, the main difference is that entire enterprise, critical infrastructures such as road networks for autonomous and self-driving vehicles, and other infrastructures needed to run a smart city will be connected. The destruction that such attacks will cause if successful can only be imagined. Some examples of such attacks are already happening today.

For instance, the Department of Homeland Security hacked into the systems of a Boeing 787 passenger aircraft in 2016. The plane was parked in Atlantic City, and the hack was done remotely without relying on insider help. Also, a ransomware attack targeting the City of Baltimore locked out over 10000 employees from their workstations.^[3] Such attacks might not have caused any destruction on the victims. That would, however, not be the case had they locked out 10000 self-driving cars from accessing critical infrastructure systems. They would be unable to communicate with each other and from accessing navigational systems, meaning that they would cause massive accidents or massive traffic congestions.

In the coming future, 5G networks will lead to the development of smart cities and infrastructures. These will result in an emergence of interconnected critical systems at an entirely new scale, including automated waste and water systems, driverless vehicles depending on intelligent transport systems, automated emergency services, and workers. They will all interdepend on each other.

As much as these 5G enabled solutions will be highly connected, they will likely to be highly vulnerable. During the 2017 WannaCry attack, the ransomware took several days for it to spread globally. 5G networks will enable such networks to spread at a speed of light. 5G networks will revolutionize the world immensely but also potentially drive cybercrimes to real-world scenarios, resulting in consequences yet to be known.

Artificial Intelligence

The need for developing real-time detection and preventive measures, especially with the adoption of 5G networks, cannot be underscored. Artificial intelligence technologies provide crucial components required for the world to realize a global immunity and security as far as cyber-attacks are concerned. Artificial intelligence is already being used to innovate and develop cybersecurity solutions that can operate at a pace and scale that can secure digital prosperity in the future. AI-powered security solutions will be leveraged to achieve top-notch efficiencies in detecting and responding to cyber-attacks, provide real-time mitigation measures to cyber threats and instant situational awareness, and automate processes for risk assessments, threat detection, and mitigation, and so on.

However, many reports today indicate that cybercriminal communities are seizing and exploiting artificial intelligence security solutions as soon as they are developed. This poses new challenges in the race for developing working solutions to global cyber threat landscapes. Cyber actors using artificial intelligence to execute different crimes might instantly bypass industrial technical controls developed over several decades. For example, in the financial industry, criminals may soon develop intelligent malware programs capable of capturing and exploiting voice synthesis solutions. This will allow the mimicking of the human behavior captured in biometric data such that criminals can bypass the implemented authentication procedures for securing individual bank accounts.

Besides, using artificial intelligence for criminal activities will most likely lead to the emergence of new breeds of cyber-attacks and attack cycles. Malicious actors will target and deploy such breaches where they will cause the highest impacts, and using means which industries across the divide never thought would be possible. To mention just a few, artificially intelligent attacks might be used in biotech industries to steal or manipulate DNA codes. They might also be used to destabilize the mobility of unmanned vehicles, and in healthcare systems, where smart ransomware programs will be timed to execute when systems are most vulnerable, thus causing the highest impact.

Biometric Security

Combating the emerging cybersecurity trends will most likely cause biometrics to be among the most used strategies for security. Currently, biometrics are playing a central role in securing devices like laptops and smartphones, or for physical security where iris and fingerprint scans are used to secure sensitive and classified areas.

Biometrics will continue being used in the future to develop next-generation authentication mechanisms. Adopting such measures will necessitate the acquisition of enormous data volumes of individuals and their activities. Fingerprint, iris scans, and voice recognition security will not be adequate, and biometrics will include other details such as body movement and walking styles. This will only cause cybercriminals to, however, target new generation biometrics data. Rather than focusing on targeting data like personally identifiable information, including contact details, social security numbers, or official names, attacks will focus on acquiring data used in biometrics security.

What Next? New Measures and Compliance Regulations

So, the main question is what’s next for cybersecurity in the future? First, it is essential to note that cybercriminals have been executing low-risk attacks where there are high-rewards and minimal or zero attribution. This has caused organizations to mostly depend on traditional responses as most have provided practical solutions so far. In the coming years, emerging and transformative technologies will significantly alter the cyber threat landscapes.

Understanding how to best secure against the expected rise of new generation cyber-attacks and threats will first require we understand the extents to which cyber landscapes will change and the transformation of risk environments. Such an urgent and critical analysis can only be accomplished through persistent research for evidence-backed results. The expertise which security professionals, academic giants, and policy makers possess will be integral to developing exceptional measures for curbing future cybercrime activities.

Ultimately, new compliance regulations are necessary as a result of the changing cybersecurity landscape. At the same time, the responsibility for complying will increase as a result of the new laws and regulations as well as user demands and public opinion. Organizations will remain challenged to incorporate the new requirements into their business processes, including their communications, employees, tools, and infrastructure.

https://www.bbc.com/news/technology-46944696 ↑
https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ ↑
https://www.npr.org/2019/05/21/725118702/ransomware-cyberattacks-on-baltimore-put-city-services-offline?t=1561030041838 ↑

Smart City Security

Oliviah Nelson

-

July 31, 2019

0

Smart cities are the future of technology. We are quickly becoming dependent on computers to run cities.

Smart city technology addresses issues like energy, transportation, and utilities. This technology works to reduce resource consumption and waste to reduce costs. The smart city aims to enhance the quality of living of the people who live in it through the use of intelligent technology.

Importance of Security in Smart City

Security is an essential aspect of the success of a smart city. Security can be a challenge due to the involvement of many technologies and the interconnections of different networks and components. The smart city will always experience different types of cyber-attacks. Some of these attacks include phishing, malicious code, website intrusions, DDOS, and social engineering.

To secure the smart city, engineers and architects must introduce security starting at the conceptual stage. Security is essential during every step of the development lifecycle. Vulnerabilities must be addressed at every level to mitigate the severe consequences that can put the whole smart city at risk.

When adequate security controls are present, the technology that the smart city supports will run normally, and the people will continue to enjoy the services that come from the smart city.

Attackers can cause grave damage and can go as far as causing loss of life. An attack on traffic lights systems, food distribution systems, hospital systems, and transport systems may cause irreparable harm.

The security challenge for smart cities

One of the security challenges that smart cities face is the security of sensor hubs. The sensors monitor things like weather, air quality, traffic, radiation, and water levels. They can be used to automatically inform vital services like traffic and street lights, security systems, and emergency alerts. If sensors are left unpatched hackers might gain access and manipulate critical data.

An example of this is a recent attack on a commercial irrigation system in Israel. Hackers were able to turn the water system on and off remotely. Attacks such as these are a great danger to the smart city water system and could result in the emptying of the water reservoir overnight.

Bugs pose a significant security threat to smart cities. They open vulnerabilities that can be used by hackers to access Smart city systems. Bugs can allow attackers to insert malicious software commands that enable a hacker to gain unauthorized access.

Another security concern is internet openness that most smart cities utilize. The Internet can pose threats to anything connected to it if it is not adequately secured.

Authentication bypassing may also be a challenge. This attack allows hackers to get into internal administrative areas of the smart city that should not be accessible to them without having to enter a password.

Also, SQL injection is a growing concern. Attackers send data between the application and the database. With this, hackers force the device to perform actions that compromise the security of the smart city. Furthermore, there are IoT crawlers like Shodan and Censys that causes security risk to smart city components.

Social engineering attacks are a significant threat to smart cities. Social engineering attacks are the main challenge to the Internet of Things – the components used by the smart city. Attackers deceive a user into performing an action that that will cause a breach in a system’s information security.

The effects of social engineering attacks can also result in physical impacts like:

Disruption and damage of train and tram signaling system, causing accidents.
Water system damage causing water wastage
Nuclear power plant damage
Manufacturing plants destruction

Phishing attacks have increased in smart cities. Phishing attacks target email users to capture the user’s credentials. Hackers can use the information gained to access smart city systems for malicious purposes. The techniques and technologies behind phishing will continue to evolve. These technologies can manipulate things like tire pressure alerts, gas leakage, etc.

Ways to make smart city secure

There are significant challenges in securing a Smart city. However, the implementation of proper measures can successfully mitigate risk.

Security practices

Smart cities are made up of a plethora of devices that often have different manufacturers. Therefore, patch management is challenging. Each manufacturer must make sure that the products are secure and that software patches are issued promptly. But it is the user’s responsibility to make sure they are practicing good security hygiene.

A smart city should have controls and standard operating procedures for when a security breach happens. The procedures should identify the breach, contain the attack, and restore the systems.

Common issues

Basic security steps can be taken to avoid common security pitfalls. Users should update default passwords so that they are unique and complex. Policies should be enforced to ensure that passwords are strong. The establishment of security operations centers is required to monitor security, mitigate vulnerabilities, and respond to attacks.

Software updates on time

All software used in a smart city should be kept up-to-date. There should be a system administrator who his responsibilities are to make sure that all software is well updated so that hackers don’t exploit known vulnerabilities. All firewalls and antiviruses should be updated frequently.

Proper security framework

It is challenging to keep track of all components of a smart city due to its complexity. There may be thousands of connected devices deployed over many square miles. But the task can be accomplished using a proper framework.

A useful framework will include automated checks for software updates and security patches.

Security Best Practices

The use of security best practices by the smart city’s security team is essential. These are:

Implementation of IT address restrictions for who can connect to the smart city devices. The smart city network should be secure, even when the system is on the public internet.
Scanning application tools will assist in locating vulnerabilities of the smart city.
The use of heightened network security rules to prevent access to sensitive systems and safe password practices.
Strong access controls should be in place.
Disable any or unnecessary systems or anything that is not currently used. Disable remote administration features and ports for hackers not to access them.
Scan network activities and identifying suspicious internet traffic with the use of security incident and event management tools will help in countering any attack.

The use of ethical hackers for penetration testing

An ethical hacker will play a significant role in securing the smart city. He or she is tasked to test the security of the smart city to ensure that it is intact and no hacker can use hacking methods to get into the smart city. He can research all the new technologies that are coming up and make sure that the smart city is upgraded to fit to what is in the market.

Cyber-crime laws

Heavy penalties should be put in place to deter attacks on the smart city.

Conclusion

As the world continues to be more interconnected, security threats become greater. To make matters worse, criminals and hackers are increasing their skills and leveraging new technologies.

Therefore, smart city security should be a priority, and security specialists should be involved early in the design process. Also, the standardization of IoT devices is critical.

There is a need for everyone who is involved in a smart city and IoT to work together and take responsibility for security-related issues. Working together and having a unity of purpose towards the realization of secure IoT will help be a great stride towards a better future that is protected from unauthorized access.

Cybersecurity Laws – A Complete Overview

Oliviah Nelson

-

June 13, 2019

5

Cybersecurity Laws – A Complete Overview

Technology has grown exponentially over the past two decades. As time goes by, we continuously benefit from and increase our dependence on technology. Web applications, drones, mobile applications, industrial automation, machine learning applications, and other technologies have changed our lives. But there are immense dangers that these technologies bring us. Therefore, our governments have introduced cybersecurity laws.

The Scale of the cyber threat

The United States government spends approximately 19 billion dollars every year on cybersecurity. But cyber-attacks continue to increase every year rapidly.
There are three main threats cybersecurity efforts attempt to mitigate:
Cybercrime: includes single or colluded acts to target systems for financial gain or to cause disruption.
Cyber-attacks: often involves politically motivated information gathering
Cyber-terrorists: are intended to undermine electronic systems to cause panic or fear.
With this in mind, cybersecurity laws are designed to provide protection and counter cyber-attacks. Virtually all organizations today have an online component, so cybersecurity laws apply to nearly every business.

What do cybersecurity laws cover?

Cybersecurity laws and regulations tend to cover the most common matters that arise from cyber threats. These matters include a focus on criminal activity, corporate governance, insurance matters, and law enforcement jurisdiction.

Cybersecurity Laws of the Past

In the previous century, cybersecurity laws did not hold much weight. The type of cyber-crime being committed at that time was not as damaging as it is today. The laws of the time were comparable to copyright protection or laws about software piracy.
But now the threat has elevated and much more severe cyber-crimes the norm. These crimes range from the deployment of ransomware to actual treason. Now, serious action must be taken to counter and deter such crimes. The increased threat has led to increased legislative action.

Current Cybersecurity Laws

Fines as significant as five million dollars and lengthy jail terms have been put in place to curb such activities. The institution of such penalties for cyber-crimes may still not be enough given the damage hackers can cause.
Before 2015, the federal government of the United States was unaware of several attempted data breaches on private institutions. All this changed with the Cybersecurity Act of 2015. After numerous attempts, Congress passed legislation that allowed companies in the U.S to share personal information related to cybersecurity with the government. The government could use this information as evidence to prosecute crimes.

Difficulty in Prosecution

In the past, cybersecurity crimes were difficult to prosecute for the following reasons:

Area of jurisdiction

One of the reasons prosecutors had trouble was a result of Jurisdiction. Many times the person committing the crime was outside of the country or legal jurisdiction of the court. This is why the United States is focused on the international stage and establishing allies in the cyber world.

Many cybercrimes go unreported.

A majority of cyber-crimes do not get prosecuted because they do not report the crime to the authorities. Small, medium, and even large organizations have failed to disclose breaches because of the negative impact and loss of trust that would occur.

Evidence collection was quite difficult.

Digital Forensics has evolved dramatically in recent years. Best practices and strict processes have been developed to identify and preserve evidence that can be used to prosecute cyber-criminals. But in the not-so-distant past, it was challenging to prosecute cyber-criminals because few people had the expertise needed to gather and preserve the evidence.

Cyber-criminals use advanced methods to cover their tracks.

The use of TOR and VPNs allows hackers to operate with a certain degree of anonymity. Beyond this, hackers work tirelessly to cover their tracks. Cyber-criminals are on the cutting edge of research, and they continuously work to be more challenging to identify, track, and apprehend.

What sorts of activities are criminalized by law?

Cybersecurity laws and regulations affect the crimes in the various sectors where they are committed. The sectors include federal law or county law.
Activities that are made criminal by cybersecurity laws include:

Computer hacking
Economic espionage
Corporate espionage
Identity theft
Breaking into computer systems, accessing unauthorized data, modifying or deleting the data
Stealing confidential information
Unauthorized publication or use of communications
Criminal infringement of copyright
Spreading of fake news
Sexual exploitation of children
Defacing internet websites
Flooding websites with increased volumes of irrelevant internet traffic make sites unavailable to the actual users who are supposed to be viewing them.

The various categories of the law have also criminalized numerous other crimes committed over the internet.

Ways in which cybersecurity laws are enforced

The United States addresses cybersecurity through sector-specific initiatives, general regulation, and private sector involvement. At the national or federal level, cybersecurity standards are executed using a variety of methods.

Major US Federal Cybersecurity Laws

Health Insurance Portability and Accountability Act (HIPAA) (1996)

HIPAA was enacted in 1996 and signed by President Bill Clinton.

Before HIPAA, there was no standard method for safeguarding the protected personal information (PPI) that organizations in the healthcare industry stored. There were no security best practices in place. One of the reasons that there were no standards related to cybersecurity in the healthcare industry was that health records were traditionally stored as paper records.

Just before the introduction of HIPAA, the healthcare industry was scrambling to move away from paper records to become more efficient. The need to become more efficient drove the need to access and transfer patient information quickly.

Since there was an urgency to convert to electronic healthcare records, many companies were founded to capitalize on the need and profit from it. Security for most of these companies was merely an afterthought. The government quickly saw the need to create regulations in an attempt to enforce security standards.
The primary objectives of HIPAA include

Modernize how healthcare information is stored and processed
Ensure that private personal information is protected adequately by hospitals, insurance companies, and other health-related organizations
Address limitations on healthcare insurance

Gramm-Leach-Bliley Act (GLBA) (1999)

The Gramm-Leach-Bliley was signed into law in 1999. This law is also known as the Financial Services Modernization Act of 1999.
The main thing that GLBA did was to repeal a portion of an outdated law from 1933. This 1933 law was called the Glass–Steagall Act. The Glass–Steagall Act prevented companies from doing combined business in banking, securities, and insurance. A bank was also not allowed to sell insurance or securities.
Along with the above, GLBA also requires financial institutions to disclose how they store and protect their customers’ private information. The GLBA introduced Safeguard Rules that must be followed. These safeguard rules are explicitly defined in the law. Among other things, the safeguard rules include:

Conduct background checks on employees who are going to have access to customer information
Required that new employees sign a confidentiality pledge
Limit access to private information on a “Need to Know” basis
Require strong passwords that are changed frequently.
Require computer screens to lock after they are inactive after a specific duration
Enact security policies for devices and data encryption.
Conduct initial and periodic security training for employees and regularly remind the employees of the policy.
Develop policies for remote work security.
Develop policies to enforce security violations through discipline.
Take steps to secure data at rest and data in transit. Also, control access to this data.
Dispose of information securely.

Homeland Security Act (2002)

The Homeland Security Act was signed into law by George W. Bush in 2002. This act included the Federal Information Security Management Act (FISMA).

The United States introduced the Homeland Security Act following several terrorist attacks in the United States. These terrorist acts include the World Trade Center bombing and mailing of anthrax spores to some news outlets and some government officials.

The Homeland Security Act established the Department of Homeland Security (DHS). Beyond this, the act also had other purposes, including FISMA cybersecurity-related regulations. FISMA included the implementation of the National Institute of Standards and Technology (NIST). NIST became responsible for developing standards, guidelines, and methods for cybersecurity protections.

The National Institute of Standards and Technology( NIST) outlines nine steps toward compliance with FISMA:

Categorize the information to be protected.
Select minimum baseline controls.
Refine controls using a risk assessment procedure.
Document the controls in the system security plan.
Implement security controls for inappropriate information systems.
Assess the effectiveness of the security controls after implementation.
Determine agency-level risk to the mission or business case.
Authorize the information system for processing.
Monitor the security controls continuously.

Are These Laws Enough?

The three regulations outlined above cover mandates for healthcare organizations, financial institutions, and federal agencies. But many other industries do not have applicable cybersecurity laws.
Some argue that the need for additional government intervention is not necessary. It is in the best interest of any business to secure data and sensitive information. The importance is so high that companies and organizations spend massive capital amounts on this effort.

Others that it is the government’s responsibility to protect its citizens. This responsibility requires the introduction and enforcement of laws to ensure that the citizens are protected.
Data breaches and successful attacks continue to occur to organizations despite the best efforts to maintain compliance with laws, standards, and best practices. Even so, the presence of effective laws can certainly help toward the objective of keeping data safe.

CybrerExpertsThe Greatest Minds in Cybersecurity

CybrerExpertsThe Greatest Minds in Cybersecurity

CybrerExpertsThe Greatest Minds in Cybersecurity

Know where your business is exposed, what matters most, and what to fix first.

Most small businesses know cybersecurity matters. Very few know what to fix first.

How it works

Start with a checkup. Continue with monitoring.

AI Small Business Cyber Checkup

AI Cyber Hygiene Monitor

What CyberExperts does — and does not do

See your biggest cybersecurity gaps in plain English.

Top 10 Cloud Security Best Practices

Cloud Security Best Practices #1: Securely manage your data

Cloud Security Best Practices #2: Implement endpoint security

Cloud Security Best Practices #3: Carefully choose the cloud vendors

Cloud Security Best Practices #4: Monitor and prevent

Cloud Security Best Practices #5: Conduct due diligence

Cloud Security Best Practices #6: Implement intrusion detection and prevention systems

Cloud Security Best Practices #7: Define cloud usage policies for all employees

#8: Maintain a safe list

#9: Trust users, but verify

#10: Regulatory compliance boosts security

23 Top Cybersecurity Frameworks

1. ISO IEC 27001/ISO 2700212

2. NIST Cybersecurity Framework3

3. IASME Governance4

4. SOC 25

5. CIS v76

6. NIST 800-53 Cybersecurity Framework7

7. COBIT8

8. COSO9

9. TC CYBER10

10. HITRUST CSF11

11. CISQ12

12. Ten Steps to Cybersecurity13

13. FedRAMP14

14. HIPAA15

15. GDPR16

16. FISMA17

17. NY DFS18

18. NERC CIP19

19. SCAP20

20. ANSI21

21. NIST SP 800-1222

22. NIST SP 800-1423

23. NIST SP 800-2624

Ten Essential Cybersecurity Controls

The following guideline enables businesses to determine adequate cybersecurity controls.

1. Assess the size of the organization

2. Determine the scope of IT infrastructure

3. Determine the security levels of IT assets and information systems

4. Confirm investments in cybersecurity

10 Essential Security controls

1. Maintain a comprehensive incidence response plan

2. Patch management lifecycle

3. Apply antivirus solutions

4. Implement perimeter defense

5. Secure mobile devices

6. Emphasize employee training and awareness

7. Implement power user authentications

8. Observe strict access controls

9. Maintain secure portable devices

10. Securely encrypt and back up data

Compliance Regulations and the Future of Cybersecurity

Current Compliance Regulations

Benefits of Compliance Regulations

Existing Compliance Regulations and Requirements

Balancing Compliance Regulations and Cybersecurity

The Future of Cybersecurity

The entry of 5G Network

Artificial Intelligence

Biometric Security

What Next? New Measures and Compliance Regulations

Smart City Security

Importance of Security in Smart City

The security challenge for smart cities

The effects of social engineering attacks can also result in physical impacts like:

Ways to make smart city secure

Security practices

Common issues

1. ISO IEC 27001/ISO 27002¹ ²

2. NIST Cybersecurity Framework³

3. IASME Governance⁴

4. SOC 2⁵

5. CIS v7⁶

6. NIST 800-53 Cybersecurity Framework⁷

7. COBIT⁸

8. COSO⁹

9. TC CYBER¹⁰

10. HITRUST CSF¹¹

11. CISQ¹²

12. Ten Steps to Cybersecurity¹³

13. FedRAMP¹⁴

14. HIPAA¹⁵

15. GDPR¹⁶

16. FISMA¹⁷

17. NY DFS¹⁸

18. NERC CIP¹⁹

19. SCAP²⁰

20. ANSI²¹

21. NIST SP 800-12²²

22. NIST SP 800-14²³

23. NIST SP 800-26²⁴