This post is from my series of short essays on cybersecurity.

One of the important activities in NIST-CSF is “protect”. Building a protection for assets needs a comprehensive strategy. This post is continuing the discussion started in the previous post Cybersecurity framework – start with identify and protect, here I am going one step further to discuss well known practices under protection activities. I consider these basic steps as required steps for laying down the foundation to build the overall protection infrastructure in the digital world. These are fundamental pillars for any information security strategy.

Protect your castle from tumbling down – Timely patching I mentioned earlier security is not a product, it is a continuous process. New vulnerabilities being detected regularly – Log4j vulnerability discovered last month that impacted almost every Java application is an example where companies need to race against time to patch their systems. Manual patching of each system and service is time consuming, error prone, and not scalable. Investing in having an automated system where automated agents periodically scan each and every device and service in the network so you should know the span of vulnerability in real time and alert on any anomaly. Ability to automatically install the security patches or isolate vulnerable assets is essential to maintain the continuous security at scale and cost effectively.

Maintain confidentiality – Encrypt data at rest and data in transit Confidentiality of data heavily relies on encryption. Adversaries always look for opportunities to sniff the data from your network traffic or sneak into data stores to steal the data or learn about internals of your infrastructure. You should always assume the worst case scenario that adversaries will one day be able to reach out to your data store or tap into your internal traffic – Countdown to Zero Day by Kim Zetter is good recap of early 2000s well known Stuxnet worm attack on Iran’s nuclear program that exploited such vulnerabilities. Data should always be encrypted when it is stored, all cloud service providers provide the feature to enable encryption on file systems and other data storage. Data encryption in transmitting messages from one endpoint to another is rudimentary, enabling Mutual TLS across all endpoints involved in data exchange is an essential step to enable encryption in transit. This ensures that the parties at each end of the network connection are who they claim and data transmitted on wire can only be decrypted by right endpoints.

Maintain confidentiality of confidentiality – Key management As I discussed earlier that the confidentiality depends on the secrecy of cryptographic keys used in the encryption/ decryption process. How cryptographic keys are managed define how secure is your encryption. Key management policy should include full cryptographic key lifecycle management:  Where and how keys can be generated? How can keys be protected in storage and during delivery? Process for suspending or revoking the keys? and Policy for key rotation to replace old keys with newly generated keys on a periodic basis? NIST publications under Key Management Guidelines provide general guidelines and best practices for cryptographic key management. 

Ask twice at the entry door – Multi-factor authentication Authentication is the process of verifying the identity someone is claiming. Strong passwords are traditional methods of authentication, but strong password doesn’t protect against stolen password, according to the website haveibeenpwned.com stating more than 11.7 billion leaked login credentials to date. Two factor authentication provides protection against stolen passwords. Users need to provide a password (“What you know?”) and a second authentication factor (“what you have?”) as a proof of identity. Usually the second is proof of possession of something unique to the user such as a hard one time password (OTP) generator device, ownership of smart card in tamper proof device, or a personal mobile device register with authentication service (authenticator).

The activities of continuous patching, encryption at rest and in transit, key management, multi-factor authentication are basic pillars to build the security infrastructure not a comprehensive list of all security controls.NIST 800-53 – Security and Privacy Controls for Information Systems and Organizations provides the catalog of the security and privacy controls, composed of over 1000 security controls to protect against all kinds of threats including human errors, structural issues, and hostile cyber attacks. In future posts I will continue deep dive discussions into these security controls categories.