Privacy Rights Clearinghouse maintains a database of every data breach made public since 2005, and as the total number of records rapidly approaches one billion, board members, infosec leaders, and consumers are all asking the same question: Why does this keep happening?
It’s not like we don’t collectively understand how to secure our systems and networks. NIST maintains nearly two hundred special publications focused on computer security, and the ISO 27000 series contains dozens of standards for securing information systems.
What’s more, multiple industries have specific standards and regulations targeting information security and risk management controls. Retail has PCI. Healthcare has HIPAA. Education has FERPA. Energy has NERC. Financial Services seems to be bound to more information security standards and regulations than all other industries combined.
Still, the question remains: Why does this keep happening?
Three key factors
First, organizations of all sizes are drowning in the details. A 2012 Small Business Administration survey in the United States found that 99.7% of U.S. employer firms were small businesses. The sheer number of controls contained within existing information security standards and regulations can be daunting for large, multinational corporations. Expecting small and medium businesses to comply with those same standards and regulations is unrealistic.
Second, in an effort to remain independent, many of these standard and regulatory bodies focus on what controls need to be implemented, and not how to implement them. Many of these bodies offer the same control recommendations as their counterparts without providing the details organizations need in order to put those controls into effect.
Third, these control sets are often presented without any context around priority. With PCI, for example, organizations are either compliant or non-compliant, and many of those organizations struggle with how to prioritize individual control recommendations while striving to achieve the goal of 100% compliance.
Common Sense Security Framework (CSSF)
The CSSF is an open information security framework designed to help bridge these gaps by focusing on the fundamentals. The framework is divided into seven (7) areas:
- Protect your applications
- Protect your endpoints
- Protect your networks
- Protect your servers
- Protect your data
- Protect your locations
- Protect your people.
Each protection area contains three (3) questions that organizations should be asking themselves about their information security controls. In a matter of minutes, organizations can evaluate themselves against the CSSF by answering Yes or No to the following twenty-one (21) questions.
Protect your applications
Scope includes web and mobile applications.
- Do your developers know how to write secure code?
- Have you documented your application security requirements in both internal project documents and in third party contracts?
- Do you scan for and patch technical vulnerabilities in all of your web and mobile applications?
Protect your endpoints
Scope includes workstations, laptops, smartphones, tablets, kiosks, and removable media.
- Do you run antivirus/antimalware software on all of your endpoints?
- Do you limit local administrator account usage?
- Do you scan for and patch technical vulnerabilities on all of your endpoint devices, both at the operating system level and at the application level?
Protect your networks
Scope includes wired, wireless, cloud, and remote access (VPN) networks.
- Do you have separate (segregated) networks for wired, wireless, cloud, and remote/VPN users?
- Do your wireless and external networks use strong encryption?
- Do you require two factor authentication for remote/VPN access, as well as access to third party (hosted) applications?
Protect your servers
Scope includes directory, file, web, application, and database servers.
- Do you follow documented system hardening procedures to secure your servers?
- Do you centrally store and actively monitor critical security logs for suspicious events (such as abnormal admin account activity)?
- Do you scan for and patch technical vulnerabilities on all of your servers, both at the operating system level and at the application level?
Protect your data
Scope includes data at rest and data in motion.
- Do you create and regularly test backups of your critical business data?
- Do you periodically review employee account security to ensure that access is appropriate (i.e., least privilege, individual accounts, strong passwords)?
- Do you encrypt all sensitive data stored on disk?
Protect your locations
Scope includes headquarters, branch offices, data centers, and retail outlets.
- Do you restrict access to sensitive office locations and workspaces?
- Are all of your servers and network devices in locked rooms?
- Do you require your employees to monitor authorized visitors and to challenge unauthorized strangers?
Protect your people
Scope includes people who work for your organization, as well as people who work with your organization.
- Do you teach your people how to identify and respond to potential security incidents?
- Do you perform background checks on new hires and on current employees, both upon hire and on a recurring basis (as needed)?
- Do you have documented policies, standards, and procedures that you use as the foundation for your training activities?
Organizations can prioritize their fundamental security control gaps by focusing on the No’s. The CSSF pairs each question with recommendations for free, open source, and commercial tools that could potentially help an organization quickly and cost-effectively shift each No to a Yes.
The CSSF counters complexity with simplicity. It counters independence with guidance. It counters uniformity with prioritization.
It’s important to note that the CSSF is not intended to serve as a replacement for any of the other existing regulations or standards. Rather, the CSSF serves as a primer of sorts, as a stepping stone between knowing the fundamentals and understanding how to implement them.
Similar to the Penetration Testing Execution Standard (PTES), the CSSF is a grassroots effort. The CSSF GitHub project contains the spreadsheet self-assessment tool, but additional resources (such as a collection of HTML bookmarks and specific how-to guides) are still under development. As organizations and security professionals continue to adopt and contribute to the CSSF, the framework’s effectiveness will continue to improve.
By shifting our focus to the fundamentals of information security, the CSSF could prove an invaluable tool in helping organizations shore up their defenses.