Cynthia Brumfield - Cybersecurity Risk Management

Cynthia Brumfield

Cybersecurity analyst, writer and President of DCT Associates, Washington, D.C., USA

with

Brian Haugli

Managing Partner, SideChannel, Boston, USA

This edition first published 2022

© 2022 Cynthia Brumfield and Brian Haugli

Published by John Wiley & Sons, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Cynthia Brumfield and Brian Haugli to be identified as the authors of this work has been asserted in accordance with law.

Registered Office

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

Editorial Office

The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of Warranty

While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data

Names: Brumfield, Cynthia, author. | Haugli, Brian, author. | John Wiley & Sons, publisher.

Title: Cybersecurity risk management : mastering the fundamentals using the NIST cybersecurity framework / Cynthia Brumfield, Brian Haugli.

Description: Hoboken, NJ : John Wiley & Sons, Inc., 2022. | Includes bibliographical references and index.

Identifiers: LCCN 2021024435 (print) | LCCN 2021024436 (ebook) | ISBN 9781119816287 (hardback) | ISBN 9781119816294 (pdf) | ISBN 9781119816300 (epub) | ISBN 9781119816348 (ebook)

Subjects: LCSH: Computer security--Risk management.

Classification: LCC QA76.9.A25 B82 2022 (print) | LCC QA76.9.A25 (ebook) | DDC 005.8--dc23

LC record available at https://lccn.loc.gov/2021024435LC ebook record available at https://lccn.loc.gov/2021024436

Cover image: © Henrik5000/Getty Images

Cover design by Wiley

Set in 11.5/13pt BemboStd by Integra Software Services, Pondicherry, India

This book is dedicated to Lloyd and Delma Brumfield, who gave me everything I needed, and then some.

1 Cover

2 Title page Cybersecurity Risk Management Mastering the Fundamentals Using the NIST Cybersecurity Framework Cynthia Brumfield Cybersecurity analyst, writer and President of DCT Associates, Washington, D.C., USA with Brian Haugli Managing Partner, SideChannel, Boston, USA

3 Copyright

4 Dedication

5 Academic Foreword

6 Acknowledgments

7 Preface – Overview of the NIST Framework Background on the FrameworkFramework Based on Risk ManagementThe Framework CoreFramework Implementation TiersFramework ProfileOther Aspects of the Framework DocumentRecent Developments At Nist

8 CHAPTER 1 Cybersecurity Risk Planning and Management IntroductionI. What Is Cybersecurity Risk Management? A. Risk Management Is a Process II. Asset Management A. Inventory Every Physical Device and System You Have and Keep the Inventory Updated B. Inventory Every Software Platform and Application You Use and Keep the Inventory Updated C. Prioritize Every Device, Software Platform, and Application Based on Importance D. Establish Personnel Security Requirements Including Third-Party Stakeholders III. Governance A. Make Sure You Educate Management about Risks IV. Risk Assessment and Management A. Know Where You’re Vulnerable B. Identify the Threats You Face, Both Internally and Externally C. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to Assets D. Develop Plans for Dealing with the Highest Risks SummaryChapter QuizEssential Reading on Cybersecurity Risk Management

9 CHAPTER 2 User and Network Infrastructure Planning and Management I. IntroductionII. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the Road A. Identity Management, Authentication, and Access Control 1. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted2. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems3. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems4. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task5. Implement Network Security Controls on All Internal Communications, Denying Communications among Various Segments Where NecessaryA Word about Firewalls6. Associate Activities with a Real Person or a Single Specific Entity7. Use Single– or Multi–Factor Authentication Based on the Risk Involved in the InteractionIII. Awareness and Training A. Make Sure That Privileged Users and Security Personnel Understand Their Roles and Responsibilities IV. Data Security A. Protect the Integrity of Active and Archived Databases B. Protect the Confidentiality and Integrity of Corporate Data Once It Leaves Internal Networks C. Assure That Information Can Only Be Accessed by Those Authorized to Do So and Protect Hardware and Storage Media D. Keep Your Development and Testing Environments Separate from Your Production Environment E. Implement Checking Mechanisms to Verify Hardware Integrity V. Information Protection Processes and Procedures A. Create a Baseline of IT and OT Systems B. Manage System Configuration Changes in a Careful, Methodical Way A Word about Patch Management C. Perform Frequent Backups and Test Your Backup Systems Often D. Create a Plan That Focuses on Ensuring That Assets and Personnel Will Be Able to Continue to Function in the Event of a Crippling Attack or Disaster VI. Maintenance A. Perform Maintenance and Repair of Assets and Log Activities Promptly B. Develop Criteria for Authorizing, Monitoring, and Controlling All Maintenance and Diagnostic Activities for Third Parties VII. Protective Technology A. Restrict the Use of Certain Types of Media On Your Systems B. Wherever Possible, Limit Functionality to a Single Function Per Device (Least Functionality) C. Implement Mechanisms to Achieve Resilience on Shared Infrastructure SummaryChapter QuizEssential Reading on Network Management