20 March 2019

Why Is The NIST Framework Important?

Alarice Rajagopal

Special guest Ben Brooks, Special Intelligence and Electronic Warfare Veteran and current Vice President of Cyber Security consulting firm Beryllium joined George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, in episode #75 on Monday night.

Co-hosts Tom Pageler Chief Security Officer of BitGo, Inc. and Andy Bonillo, Global Head of Information Security for AIG, also joined the lineup to talk about the importance of the NIST Framework, what gaps need to be filled to defend against the ever increasing sophistication of cyber attacks, the security of cloud infrastructures, and the impact of artificial intelligence on the cyber security industry.

Brooks also gave his opinion on whether or not the United States is in a Cyber War, what the average person can do strengthen their personal cyber security posture, and why skills and experiences learned from the military translate so well to the cyber security industry.

Brooks explained his role at Beryllium as more like COO, and how the name of the company came about: From the periodic table of elements. And while the name may sound cool, by itself it doesn’t do anything that great. But when you add it to other materials, it makes it one of the strongest elements on the planet (kind of like cyber security). The company is also a veteran owned small business, and as explained on its website, “We ‘serve’ to protect your organization from current and future cyber threats, which in turn protects our nation.”
InfoSec, Cyber Security And Frameworks

“Do we have elite cyber security folks working in the DoD and Government?” asked Brooks. “Yes. Are all segments of the DoD and Government elite? No. In some ways we’re above and beyond, but we always have work to do.”

He also noted that there’s a difference between information security and cyber security. InfoSec traditionally on the DoD side, was talking about basic classifications of information. But on the civilian side, it’s about controlling information properly — making sure the right people have the right access to the right information.

“The NIST information and cyber security standards are really where it’s at,” according to Brooks. They have an entire team dedicated to compiling the most recent and up-to-date information on cyber security attacks. They maintain the national vulnerability database, helping to build an open-source framework as well as recommendations so anyone can do it – no matter the size of the organization.


Rettas explained that there is also a financial institutions framework among others, and wondered if “at some point, why do we even need to look at other frameworks in certain cases?” He explained that if there is some “regulatory harmony” at some point then – “why go anywhere else?”

“That’s Xanadu, right? Unfortunately we’re really far away from that,” said Brooks. That’s why the cyber security framework NIST puts out is great – “people can consume it in spoonful’s instead of all at once.” Otherwise, organizations wouldn’t know where to start.

“I agree with that,” said Pageler. “You can map NIST to other standards. We’re a ways off, but more and more of us are seeing the advantages of it. A lot of companies in third party reviews are asking for some kind of framework.”

Bonillo then asked about framework consolidation – “will there be a regulatory body sitting on top of that?”

According to Brooks it’ll “be a money play unless the government steps in.” He said that someone will try and grab for that and “we should resist it. Whatever that regulatory body is, has to do it for the right reasons and we have to make sure of that.”

Rettas asked about resources for small business owners — “if you’re a small business owner, how do you tackle cyber security?” Brooks offered this advice for SMBs:
Look at what kind of information your SMB needs to protect.
Determine if there are regulatory requirements that have to be followed (i.e. a grocery chain needs to protect credit card information, so PCI needs to be adopted).
What do I already have in place and how can I improve what I already have in place in accordance to best practices in the free (open for referencing) frameworks out there?

Brooks cautions though that it will take some cost. Even if it’s open source, in the end, it’s “always cheaper than taking that hit of losing reputation … or having to re-buy infrastructure, etc.”
IT Is Not Security

“IT is not security and security is not IT.” What Brooks means by that is information security is about trying to protect information, while IT is about information sharing. You have to have IT folks, and you need security folks otherwise you’re only doing half the job. “It’s about finding the balance between the two.”

Rettas brought up emerging technologies and asked, “Is cloud technology safer?”

Brooks said that “I hear people say, we’re in the cloud so we’re secure,” which he noted is “kind of ridiculous really.” Cloud is just an organization of computers – it just means there is no infrastructure on site anymore. “Be careful when you think it’s safer than on premise technology,” warned Brooks. A lot of them are actually less safe and it’s very highly dependent on who is setting up infrastructure, who is programming the cloud servers (or server-less) – “it’s still computing somewhere and has to be set up with security in mind.”

Bonillo asked, “How do you make the transition to the cloud?”

First, Brooks advised to talk about whether or not you can set up on the cloud cheaper than on premise infrastructure. If you can do for cheaper, then that’s great. Now, “did you think about security?” If not, companies need to think about the cost of security and make sure it’s still the cheaper option. If it costs more to transition to the cloud and then add security on top of that, then don’t do it. You should still get the same performance according to Brooks.

Rettas then switched to AI and impact on cyber security as he noted it was brought up quite a bit at RSAC recently as being used to fill the talent gap.

Brooks cautioned that we have to be very careful when we use that term AI. People get it confused with Machine Learning (ML). AI will learn on its own, can think outside of its own originally defined parameters, and we’re not there yet. “Will it help with cyber security tremendously? You better believe it. Even now ML is making a significant impact looking for anomalies in systems.” If something is acting in a way that we weren’t expecting, it prompts us to investigate it more. 

“Is AI the next arms race?” asked Bonillo. “Will countries’ machines fight other countries’ machines?”

Quantum computing is right up there with it Brooks noted. It may lead to better ML, and new technologies that we haven’t even thought of yet.

But according to Pageler, with AI and quantum computing, it may be private industry and not so much countries. It may come from autonomous driving or flying. It will come down to the whole life and death scenario. “In the private sector – it’s scary. If someone has quantum computers, they own the world at that point,” Pageler said.
Is The US In Cyber War?

“Is the US in cyber war now?” asked Rettas.

“We have petabytes of information being exfiltrated from the U.S. From private industry, from universities, from the government, directly to other nation states with malicious intent for sure,” Brooks said. “As a military professional – that is a provoking act.” While he explained that war is oftentimes associated with human casualties, “we’re not quite there yet.”

Rettas added, “That is the differentiation. They associate war with human casualties and it will get worse until there is a loss of life. Without it, it’s not taken seriously, so when will it cross the line?” Rettas then asked Brooks for advice for every individual and not just the enterprise, “Why should anyone know what to do with their computers?”

“It doesn’t matter how big or small you are – once your device is seen on the internet, it’s a matter of moments before someone out there who is looking at content, knows your device is there,” Brooks explained. Cyber criminals will take all that information and use it on the black market to compile information and use it for an attack. “It’s like opening a store with no lock on the door and advertising you’re open.”

Rettas and Brooks discussed what anyone can do to strengthen their information security without being a cyber security expert:

Understand what kind of info you have and determine if it really needs to be out there (such as medical records).

Ask yourself, ‘do I need this thing to connect to the internet?’ (For example, do I need a grill that’s going to alert me from across town when to turn the meat around, or can I just set a timer?)

If you don’t want it out there for everyone else to see, don’t put it on the internet (or even on the computer).

If your company doesn’t offer training, go get it. Understand what bad guys are doing and why. What are the telltale signs? You don’t send your kids out on the streets without telling them not to talk to strangers.

No comments: