NIST CSF

CyberSecurity Framework

​

Risk Assessment & Management

Federico Calzolari, Scuola Normale Superiore - EDIH Tuscany X.0

NIST

​

(US) National Institute of Standards and Technology

Bio

Federico Calzolari

• Scuola Normale Superiore: Chief Information Security Officer, Head of HPC
• CERN, CMS experiment: Higgs Boson discovery 2012 - Physics Nobel Prize 2013
• EU Project Manager of European Digital Innovation Hub Tuscany X.0: AI, HPC, Cybersecurity
• Tuscany C3T (Cybersecurity Competence Center) & CSIRT: Technical Scientific Committees
• Consultant for IT crimes at the District Attorney's office
• First exploit of the Google Ranking algorithms (2007)

Email: federico.calzolari@sns.it

Web: https://cern.ch/fede

3

Contents

1. Cybersecurity basics
2. Legislative Framework
3. Risk Assessment
4. Cybersecurity Framework
5. Risk Management

4

CyberCrime Statistics

• A hacker attack every 20 seconds
• 50.000 websites breached every day
• 1 billion personal data records stolen or exposed every year

​

• Minutes to compromise, months to detect, years to recover
• Average cost of a breach: $200.000
• Cybercrime costs the global economy $10 trillion every year

​

• 95% of cybersecurity breaches are caused by human error
• 80% of attacks are not detected by victims
• 99% of malware is detected only once
• Email is the most common method used by hackers to spread malware

5

The invention of the Web

Tim Berners-Lee, CERN 1989:

• HTML: HyperText Markup Language
• HTTP: Hypertext Transfer Protocol
• URL: Uniform Resource Locator
• the first Web Server: HTTPD
• the first Browser: WorldWideWeb

​

​

​

​

​

Tim Berners-Lee:

• World Wide Web Consortium (W3C)
• Turing Prize 2016

6

Internet Rule 34

7

Internet Rule 34-bis

8

For every technological invention there is "at least"�one fall into the world of crime

Anatomy of an Attack

9

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

guideline for classifying and describing cyberattacks and intrusions

The only limit is your imagination

Cyberattacks Reasons

11

Cybersecurity Basics

Cybersecurity

Protecting electronic devices and associated data/information.

​

​

12

Legislative Framework

Cybersecurity

• NIS2 Directive: Network and Information Systems, EU 2020/0365�https://eur-lex.europa.eu/legal-content/TXT/?uri=CELEX:32022L2555

Privacy

• GDPR: General Data Protection Regulation, EU 2016/679�https://eur-lex.europa.eu/legal-content/TXT/?uri=CELEX:32016R0679
• Provvedimento “Amministratori di sistema”, Garante.IT 2008�https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1577499

13

Complexity of a modern business

• Devices (fixed, mobile, BYOD)
• Email
• WebSite
• Social Media
• Ecommerce systems
• Online Banking
• Policies
• Network Management
• Backup and Remote Access

14

Cybersecurity Objectives

Confidentiality

Protecting information from unauthorized access and disclosure

Example: Criminal steals customers usernames, passwords, or credit card information.

​

Integrity

Protecting information from unauthorized modification

Example: Someone alters payroll information or a proposed product design.

​

Availability

Preventing disruption in how information is accessed

Example: Your customers are unable to access your online services.

15

Small Business, Big Impact

Why put your already limited resources into preparing for and protecting against cybersecurity attacks?

Vulnerability: Attackers can see small businesses as easy targets.

Business Costs: Attacks can be extremely costly and threaten the viability of your business.

Reputation: Customers and employees expect and trust you to keep their information secure.

16

Cybersecurity Threats

• Phishing Attacks: social engineering attacks
• Ransomware: data encrypt, ransom to decrypt
• Hacking: unauthorized access, DDoS
• Imposter Scams: fake official email
• Environmental events: natural threats (fire, earthquake, flood)

​

17

[Cyber] Risk Management

1. Assets Inventory�detailed list of the assets owned by an organization
2. Risk Assessment�identification of hazards that could negatively impact an organization
3. Vulnerability Scan�target attack surface inspection for security vulnerabilities discovery
4. Countermeasures�procedures to protect or reduce the vulnerability of an IT system

18

Risk Assessment

1. What are the threats?
2. What are the vulnerabilities?
3. What is the likelihood of a threat exploiting a vulnerability?
4. What would be the impact of this to your business?

19

Risk Assessment: What next?

Risk Assessment Goals:

1. Risk Level visualization
2. Risk Prioritization: determining which risk to address first - based on the likelihood of a risk and the impact that it would make (risk assessment matrix)
3. Risk Mitigation Strategies: Avoid, Reduce, Transfer, Accept

20

Risk Management

1. Identify your business assets

List the types of information, processes, important people and technology your business relies upon.

• Identify the assets value

What would happen to my business if my asset was made public, damaged or unreachable?

• Evaluate the impact to your business of loss/damage to the assets

Consider the impact to your business if each asset were lost, damaged, or reduced in value (e.g. intellectual property revealed to competitors).

• Identify likelihood of loss/damage

List the threats to each business asset. Evaluate the likelihood that the asset may be lost or damaged by the threats.

• Prioritize your mitigation activities accordingly

Assign priorities according to impact and likelihood scores and Identify potential solutions: Assets with high impact and/or likelihood scores should be assigned top priorities.

21

Risk Scoring

22

Risk Analysis

Risk = Impact x Likelihood

Likelihood: Probability a potential risk occurring

​

Residual Risk = Inherent Risk - Impact of risk Controls

Inherent Risk x (1 - Treatment%)

Residual Risk: risk remaining after security measures have been applied

​

Risk Mitigation Strategies:

1. Avoid the Risk
2. Risk Reduction
3. Risk Transfer
4. Risk Acceptance

23

Risk Management Table

24

Risk Matrix

Prioritize Assets

Company processes Maturity levels

25

Maturity levels Costs

26

NIST CSF: Cybersecurity Framework

27

NIST CSF: Cybersecurity Framework

NIST CSF consists of 3 main components:

• Framework Core: desired cybersecurity activities and outcomes.
• Implementation Tiers: degree of rigor in risk management practices.
• Profiles: objectives, risk tolerance, resources alignment against CSF Core.

​

https://www.nist.gov/cyberframework/online-learning/components-framework

28

NIST CSF: Core

Core: desired cybersecurity activities and outcomes.

​

NIST CSF is a set of security and privacy controls for improving critical infrastructures cybersecurity, based on NIST SP 800 controls catalog.

​

NIST SP 800: 20 Families, 1007 Controls

NIST CSF: 5 Functions, 23 Categories, 108 Controls

ISO 27001: 4 Themes, 93 Controls

29

NIST

CSF

30

1. Identify

Develop organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

31

2. Protect

Develop and implement the appropriate safeguards to ensure delivery of services.

​

​

32

​

​

3. Detect

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

33

• Install and update anti-virus and other malware detection software
• Know what are expected data flows for your business
• Maintain and monitor logs

4. Respond

Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

34

• Coordinate with internal and external stakeholders
• Ensure response plans are tested
• Ensure response plans are updated

Communications

[RS.CO]

5. Recover

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

35

• Manage public relations and company reputation
• Communicate with internal and external stakeholders
• Ensure recovery plans are updated
• Consider cyber insurance

NIST CSF

36

​

​

​

Recovery Planning

[RC.RP]

Communications

[RC.CO]

Response Planning

[RS.RP]

Data Security

[PR.DS]

Awareness and Training

[PR.AT]

Protective Technology

[PR.PT]

Continuous Monitoring

[DE.CM]

Anomalies and Events

[DE.AE]

NIST CSF: Implementation Tiers

Implementation Tiers: the degree of rigor in cybersecurity risk management practices.

• Tier 1: partial implementation
• Tier 2: risk-informed
• Tier 3: repeatable
• Tier 4: adaptive

37

NIST CSF: Profiles

Profiles: the organization's alignment of their requirements against the CSF Core.

The profile creation and the gap analysis allows organizations to create a prioritized implementation plan and define a roadmap / action plan.

Ex: profile AS_IS vs TO_BE

38

NIST CSF: Framework Implementation

Framework implementation process in 7 steps:

1: Prioritize and Scope | 2: Orient | 3: Create a Current Profile | 4: Conduct a Risk Assessment | 5: Create a Target Profile | 6: Determine, Analyze, and Prioritize Gaps | 7: Implement Action Plan

39

NIST CSF: Visualization Tools

Framework Results Visualization Tools

- https://csf.tools/visualizations/csf-sunburst/ # NIST CSF Visualization Tools

- https://johnmasserini.com/resources/downloads # NIST CSF Maturity Tool: Radar chart [Excel]

40

NIST CSF: Results Chart

Framework Results Chart

Another way Security Assessment metrics can be presented is in a radar chart. In this chart, the Framework controls are ranked with respect to their target values.

41

NIST CSF: per year Comparison

Framework Results Charts [per year]

​

42

Everyday Tips (from NIST)

• Be careful of email attachments, web links and voice calls from unknown numbers.
• Do not click on a link or open an attachment that you were not expecting.
• Use separate personal and business computers, mobile devices, and accounts.
• Use multi-factor authentication where offered.
• Do not download software from an unknown web page.
• Never give out your username or password.
• Consider using a password management application to store your passwords for you.

43

Cybersecurity Framework Italiano

CINI Consorzio Interuniversitario Nazionale per l'Informatica

Framework Nazionale per la Cybersecurity e la Data Protection

https://www.cybersecurityframework.it

​

CyberSecurity Framework Tool: insieme di strumenti che intendono agevolare l'adozione e la diffusione del Framework Nazionale di cyber security. Il Framework può aiutare un’impresa a organizzare un percorso di gestione del rischio cyber, sviluppato nel tempo, in funzione del suo business, della sua dimensione e di altri elementi caratterizzanti e specifici dell'impresa.

44

Cybersecurity Framework - Componenti

• Core: elenco controlli di sicurezza, best practices.
• Profili: postura attuale/ desiderata di un’organizzazione.
• Priorita’: priorita’ nell’implementazione di specifici controlli.
• Maturita’: misura della maturita’ di un processo di sicurezza.
• Tiers: livello di integrazione della cybersecurity nei processi di risk management.
• Contestualizzazione: definizione dei livelli di priorita’/maturita’ per ogni controllo.

45

Cybersecurity Framework - Procedura

46

Cybersecurity Framework - Steps

47

Risk Assessment aziendale: IPOTESI di Lavoro

1. Risk Assessment Asset - driven
1. analisi Assets, Valore, Minacce, Probabilita’, Contromisure, Strategia di gestione del rischio
2. analisi beni aziendali, costi/benefici
3. assets: beni fisici/virtuali; dati con livello di specifica desiderato (es: dati amministrativi > contabili > clienti > fatture)
4. per uso interno: fotografia stato attuale/futuro, analisi costi, decisioni strategiche

​

• Risk Assessment Cybersecurity Framework - driven
• analisi Postura aziendale in termini di sicurezza informatica: compliance ai controlli previsti dal Framework di riferimento (es: categorie NIST CSF: Identify, Protect, Detect, Respond, Recover)
• per uso esterno (compliance): livello di esposizione al rischio cyber nella gestione delle informazioni

48

Cybersecurity Framework utilizzabili

1. NIST - CSF: 5 Functions, 23 Categories, 108 Controls�National Institute of Standards and Technology, Cybersecurity Framework
2. CIS - CSC: 20 Security Controls�Center for Internet Security, Critical Security Controls
3. CINI - Framework Nazionale per la Cybersecurity e la Data Protection: ~NIST CSF�Consorzio Interuniversitario Nazionale per l'Informatica | versione basata su NIST CSF
4. CINI - Controlli Essenziali di Cybersecurity: 15 controlli di sicurezza�Consorzio Interuniversitario Nazionale per l'Informatica | versione semplificata
5. ISO 27001:2022: 4 Themes, 93 Controls�International Organization for Standardization, Information Security Management Systems

49

Formazione aziendale

• Formazione a tutto il personale “Amministrativo” + Capi Reparto
• Formazione su argomenti relativi a best practices di sicurezza informatica, e esempi di attacchi reali.
• Consiglio: “lezioni” brevi (max. 1 ora; garantiscono un piu’ elevato livello di attenzione), con una mezz’ora aggiuntiva per possibile discussione di use cases o risposte a domande pre-formulate dal personale aziendale (se ritenuto interessante).
• Formazione ripetibile, da erogare per gruppi anche non omogenei (non sussiste la necessita’ di differenziare la formazione per personale addetto a settori aziendali diversi), e registrabile.

​

• Formazione al personale “Operativo” (facoltativa)
• potrebbe essere erogata tramite visualizzazione di uno degli incontri svolti con il personale Amministrativo, appositamente registrato - nessun problema al suo mantenimento ad uso interno.

50