Many enterprises are still unprepared for the exponential growth of cyberattacks and the increasing sophistication of those attacks. What’s more, attack surfaces are growing meaning that more assets are being exposed to cyberattacks and the frequency of exposure increases. Much of the blame for the increase in compromises lie with software components that are overexposed or misconfigured with improper permissions. And as international cyberwarfare becomes more of a state-endorsed tactic, private enterprises can more easily fall victim to cybercriminals.
Without the proper cybersecurity guidance, companies are more prone to Denial of Service attacks, data exfiltration, ransomware, and other nefarious acts. Thankfully, plenty of guidelines are available to help organizations strengthen their systems. For example, standard cybersecurity frameworks can greatly inform an overall security strategy.
According to the Secure DevOps and Misconfigurations report, conducted by Cloud Security Alliance, the most important security frameworks for organizations are as follows: National Institute of Standards and Technology’s Cybersecurity Framework (78%), CIS Security Foundations Benchmarks (67%), CSA’s Cloud Controls Matrix (66%), ISO (54%), and AWS (44%).
Below, we’ll review each of these five cybersecurity frameworks. I’ll consider why these benchmarks are helpful to follow, and see who’s behind them. Whether you’re just getting into IT security, or a seasoned professional, these centers are definitely good to follow for knowledge to help decrease risk.
The National Institute of Standards and Technology (NIST) is a renowned standards-setting body overseen by the U.S. government. The guidelines issued by NIST act as recommendations for government agencies and also inform the private sector. The NIST Cybersecurity Framework, initiated by an Obama-era 2013 Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, directed NIST to develop standards and practices to improve cybersecurity across departments.
NIST is focused on identifying repeatable and cost-effective means to defend critical infrastructure. For example, S.P. 800-204A and SP 800-204B describe how to implement service mesh to invoke a zero-trust architecture (ZTA). The framework is divided into five core areas — Identify, Protect, Detect, Respond, and Recover. These areas provide valuable insights around protecting sensitive data, conducting backups, managing common device vulnerabilities, ensuring quick incident responses, and other best practices.
Center for Internet Security (CIS) is an independent non-profit organization that seeks to establish security benchmarks for today’s leading technologies. CIS oversees CIS Benchmarks, a hub of over 100 configuration guidelines across 25 different vendor categories. These guidelines help security professionals dive into the nitty-gritty details to ward off potential vulnerabilities.
For example, CIS publishes benchmarks for all cloud providers, including AWS, Google Cloud, Microsoft Azure, and IBM Cloud. Following these guidelines would ensure your cloud adoption isn’t prone to misuse or misconfiguration. Other CIS benchmarks cover everything from desktop operating systems to mobile devices, network devices, and SaaS software.
The basic CIS Benchmarks are delivered for free in PDF form for worldwide accessibility. However, they require some personal information to download, and some content is walled off for paying members only.
Cloud Security Alliance (CSA) is an organization that sets best practices for cloud computing security. CSA provides security certifications, research, and resources to engage with the larger security community. CSA also oversees the Cloud Controls Matrix.
The cloud is a nebulous concept, and cloud adoption looks different from business to business. There are many ways to run an application in the cloud (AWS alone supports over 200 different cloud services). And companies often utilize a mixture of multiple clouds and hybrid cloud architectures, further ballooning the potential threat landscape.
Maintained by the Cloud Controls Matrix Working Group, the CSA Cloud Controls Matrix (CCM) provides a means to audit cloud environments for industry-accepted standards and regulations. The Matrix provides systematic processes for assessing the security of many different cloud computing arrangements. Application security, configuration management, compliance, and identity and access management are just several of the many security domains covered in the Matrix.
Keep in mind, CSA conducts more of a business model around membership and certifications. However, you can use CCM without a license for internal purposes.
International Organization for Standardization ISO is an international non-governmental organization that publishes many different types of standards. The ISO/IEC 27000 family of standards is related to cybersecurity. Of these, 27001 is the most well-known collection of requirements for an information security management system.
The ISO 27000 requirements present a code of practice for modern security techniques. Similar to NIST, the framework doesn’t promote a single vendor solution, but ISO digs a little deeper into detail than NIST controls. Although ISO certification is completely obligatory, many digital companies often hire a third-party auditor to verify their ISO certification.
Amazon Web Services (AWS) is compliant with NIST 800-53 and other security frameworks. Although AWS cloud infrastructure itself inherits these security benchmarks, this is independent of the customer actions. How you use the cloud and what you store on the cloud could still break NIST. For example, the operating systems, deployed applications, or firewalls hosted in the cloud still be misconfigured.
To help its customers align to NIST requirements, AWS offers a handy downloadable matrix. If you’re on AWS, this could be useful to guide to secure and configure your software components properly.
Combine and Refine
Since diversification can widen your threat knowledge to better inform your security posture, organizations will probably seek to follow multiple security frameworks simultaneously. Another benefit is improved partner relations — if third parties see your organization as compliant, they can place better faith in your data-handling processes. This is all the more critical to comply with new data privacy regulations.
- NIST publishes government-grade general cybersecurity guidelines.
- CIST presents specific benchmarks around technology vendors and specific software systems.
- CSA oversees recommendations on cloud security assurances and compliances.
- ISO standards are globally-recognized security requirements.
- AWS offers materials for customers to meet NIST requirements.
While the five benchmarks above represent the most adopted ones, it should be noted that 10% of organizations also follow other cybersecurity control frameworks. Others include COBIT, HIPAA, and GDPR. Aside from these control frameworks, subscribing to databases of common vulnerabilities and exposures (CVEs) can be another effective way to keep on top of new security threats.