The NIST cybersecurity framework is a powerful tool to organize and improve your cybersecurity program. It is a set of guidelines and best practices to help organizations build and improve their cybersecurity posture. The framework puts forth a set of recommendations and standards that enable organizations to be better prepared in identifying and detecting cyber-attacks and also provides guidelines on how to respond, prevent, and recover from cyber incidents.

Drafted by the National Institute of Standards and Technology (NIST), this framework addresses the lack of standards when it comes to cybersecurity and provides a uniform set of rules, guidelines, and standards for organizations to use across industries. The NIST Cybersecurity Framework (NIST CSF) is widely considered to be the gold standard for building a cybersecurity program. Whether you’re just getting started in establishing a cybersecurity program or you’re already running a fairly mature program, the framework can provide value — by acting as a top-level security management tool that helps assess cybersecurity risk across the organization.

The framework categorizes all cybersecurity capabilities, projects, processes, and daily activities into these 5 core functions:

IDENTIFY

The Identify function is focused on laying the groundwork for an effective cybersecurity program. This function assists in developing an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. To enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs, this function stressed the importance of understanding the business context, the resources that support critical functions, and the related cybersecurity risks. Essential activities in this group include:

• Identifying physical and software assets to establish the basis of an asset management program
• Identifying the organization’s business environment including its role in the supply chain
• Identifying established cybersecurity policies to define the governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
• Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities to assess risk
• Establishing a risk management strategy including identifying risk tolerance
• Identifying a supply chain risk management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks

PROTECT

The Protect function outlines appropriate safeguards to ensure the delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cybersecurity event. Critical activities in this group include:

• Implementing protections for Identity Management and Access Control within the organization including physical and remote access
• Empowering staff through security awareness training including role-based and privileged user training
• Establishing data security protection consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
• Implementing processes and procedures to maintain and manage the protection of information systems and assets
• Protecting organizational resources through maintenance, including remote maintenance activities
• Managing technology to ensure the security and resilience of systems, consistent with organizational policies, procedures, and agreements

DETECT

Detecting potential cybersecurity incidents is critical and this function defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Activities in this function include:

• Ensuring anomalies and events are detected, and their potential impact is understood
• Implementing continuous monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures including network and physical activities

RESPOND

The Respond function focuses on appropriate activities to take action in case of a detected cybersecurity incident and supports the ability to contain the impact of a potential cybersecurity incident. The essential activities for this function include:

• Ensuring response planning processes are executed during and after an incident
• Managing communications with internal and external stakeholders during and after an event
• Analyzing the incident to ensure effective response and supporting recovery activities including forensic analysis and determining the impact of incidents
• Performing mitigation activities to prevent expansion of an event and to resolve the incident
• Implementing improvements by incorporating lessons learned from current and previous detection / response activities

RECOVER

The Recover function identifies appropriate activities to renew and maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Timely recovery to normal operations is impressed upon, to reduce the impact from a cybersecurity incident. Essential activities for this function somewhat overlap with those of Respond and include:

• Ensuring the organization implements recovery planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents
• Implementing improvements based on lessons learned and reviews of existing strategies
• Internal and external communications are coordinated during and following the recovery from a cybersecurity incident

The CIA Triad is a benchmark model in information security designed to govern and evaluate how an organization handles data when it is stored, transmitted, or processed. Each attribute of the triad represents a critical component of information security: 

1. Confidentiality – Data should not be accessed or read without authorization. It ensures that only authorized parties have access. Attacks against Confidentiality are disclosure attacks.
2. Integrity – Data should not be modified or compromised in any way. It assumes that data remains in its intended state and can only be edited by authorized parties. Attacks against Integrity are alteration attacks.
3. Availability – Data should be accessible upon legitimate request. It ensures that authorized parties have unimpeded access to data when required. Attacks against Availability are destruction attacks.

Why does it matter

Every cyber attack attempt to violate at least one of the CIA triad attributes. Having a thorough understanding of this information security model helps election offices better identify risks and protect their networks from unauthorized activity through appropriate cybersecurity policies and mitigation measures. Additionally, this model assists with coordinating incident response by establishing common ground for administrative and technical staff to communicate an incident’s scope. It also fosters more detailed communication with the public, increasing transparency on sensitive issues.

What you can do

Evaluate your organization and identify all data you store in the context of the CIA triad to ensure that existing cybersecurity policies and protections address the appropriate risks. The CIS Controls^TM and Handbook for Elections Infrastructure Security are key tools for identifying and implementing appropriate policies. Examples of policy recommendations from these tools which address each attribute include:

Confidentiality

• CIS Control 14 – Controlled Access Based on the Need to Know
• Elections Best Practice 12 – Ensure critical data is encrypted and digitally signed

Integrity:

• CIS Control 13 – Data Protection
• Elections Best Practice 45 – Maintain a chain of custody for all core devices

Availability:

• CIS Control 10 – Data Recovery Capability
• Elections Best Practice 31 – Conduct load and stress tests for any transactional related systems to ensure the ability of the system to mitigate potential DDoS-type attacks

Artificial intelligence (AI) is the simulation of human intelligence in programmed machines to think like humans and mimic their actions. The term may also be applied to any machine that exhibits traits associated with a human mind such as learning and problem-solving.

The ideal characteristic of artificial intelligence is its ability to rationalize and take actions that have the best chance of achieving a specific goal. A subset of artificial intelligence is machine learning (ML), which refers to the concept that computer programs can automatically learn from and adapt to new data without being assisted by humans.

Deep learning techniques enable this automatic learning by absorbing huge amounts of unstructured data such as text, images, or video.

Security information and event management (SIEM) define software products and services that combine security information management (SIM) and security event management (SEM). As an acronym and a product offering, SIEM is peddled by seemingly countless cybersecurity vendors.

However, Forrester security and risk analyst Allie Mellen says it has a long legacy in compliance and doesn’t necessarily represent where SIEMs are today. “SIEMs are now focused on threat detection and response, incorporating security user behaviour analytics (SUBA) and security orchestration, automation, and response (SOAR) to address each step of the incident response lifecycle.

At Forrester, we call them security analytics platforms to better represent what they do: perform security analytics on data and serve as a platform with connections to third-party offerings for response.”

A security operations centre (SOC) – sometimes called an information security operations centre, or ISOC – is an in-house or outsourced team of IT security professionals that monitors an organization’s entire IT infrastructure, 24/7, to detect cybersecurity events in real-time and address them as quickly and effectively as possible.

A SOC also selects, operates, and maintains the organization’s cybersecurity technologies and continually analyzes threat data to find ways to improve the organization's security posture.

The major benefit of operating or outsourcing a SOC is that it unifies and coordinates an organization’s security tools, practices, and response to security incidents. This usually results in improved preventative measures and security policies, faster threat detection, and faster, more effective and more cost-effective response to security threats.

A SOC can also improve customer confidence and simplify and strengthen an organization's compliance with industry, national and global privacy regulations.

A network operations centre, or NOC (pronounced “knock”), is a centralized location where IT technicians directly support the efforts of remote monitoring and management (RMM) software. NOC teams are heavily utilized in the managed IT services space and are a tremendous driver of service delivery for many managed services providers (MSPs).

These technical teams watch over the endpoints they monitor and manage, independently resolving issues that arise and taking preventative steps to ensure system breakdowns do not occur. NOC teams are also heavily involved in high-level security actions and backup and disaster recovery (BDR) efforts, ensuring uptime 24/7/365 for an MSP’s customers.

The zero trust security model, also known as zero trust architecture (ZTA), zero trust network architecture or zero trust network access (ZTNA), and sometimes known as perimeter-less security, describes an approach to the design and implementation of systems.

The main concept behind the zero trust security model is never trusted always verify which means that devices should not be trusted by default, even if they are connected to an approved network such as a corporate network and even if they were previously verified.

ZTNA is implemented by establishing strong identity verification, validating device compliance before granting access, and ensuring least privilege access to only explicitly authorized resources. 

The cyber kill chain, also known as the cyberattack lifecycle, is a model developed by Lockheed Martin that describes the phases of a targeted cyberattack. It breaks down each stage of a malware attack so that defenders can identify and stop it.

In military parlance, a "kill chain" is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. The closer to the beginning of the kill chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack later.

The cyber kill chain applies the military model to cyberattacks, with the phases of a targeted attack described such that they can be used for the protection of an organization's network. The stages are shown in the graphic below.

One thing to keep in mind: the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don't stop the attack until it's already in your network, you'll have to fix those machines and do a lot of forensic work to find out what information they've made off with.

Cloud application resilience refers to the ability of a cloud-based application to handle and recover from unexpected failures or disruptions in the cloud environment. This can include everything from hardware failures to network outages or even natural disasters.

Resilient cloud applications are designed to continue functioning in the face of such disruptions by relying on redundant systems, backup data and applications, and other measures to ensure continuous availability and service. Additionally, cloud application resilience often involves automated failover and recovery procedures to minimize downtime and maintain performance.

By ensuring resilience, cloud applications can offer greater reliability and availability even in the face of unexpected events, thus enabling businesses to maintain operations and meet customer needs, while reducing potential downtime and data loss.

Endpoint detection and response (EDR) is a type of cybersecurity solution that focuses on detecting and responding to potential cyber threats that are targeted at endpoint devices like laptops, desktops, mobile devices and servers.

EDR solutions use advanced behavioural analytics and machine learning algorithms to monitor endpoint activities, detect unusual behaviour, and provide real-time alerts to security teams to respond quickly to potential threats. EDR solutions also have the capabilities to investigate and remediate threats and provide detailed information on the source and scope of incidents.

By leveraging EDR solutions, organizations can gain visibility into endpoint activities, identify threats early, and respond quickly and effectively to mitigate their impact, thereby enhancing their overall cybersecurity posture.

DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that provides an additional layer of protection against phishing and other email-based attacks. It allows email domain owners to specify which email servers are authorized to send emails on their behalf and instruct recipient servers on how to handle unauthenticated messages, i.e., either quarantine or reject them.

DMARC works by combining two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), and adding a reporting component. SPF helps verify the sender's IP address, while DKIM adds a digital signature to confirm that the email message content has not been tampered with during transit. The reporting feature gives domain owners insight into who is sending emails using their domain name, enabling them to take appropriate action in case of abuse or misuse.

In summary, implementing DMARC can help prevent email spoofing, protect the brand reputation, and enhance email deliverability.

DKIM stands for DomainKeys Identified Mail, and it is an email authentication protocol used to verify the authenticity of email messages. Essentially, DKIM works by adding a digital signature to the header of an email that can be used to confirm that the email was sent from the domain that it claims to have been sent from. This helps to prevent email spoofing, phishing, and other fraud attempts.

To use DKIM, a domain owner will create a public cryptographic key and privately store the corresponding private key. The public key is then published in a DNS TXT record for the domain. When an email is sent from that domain, the email headers are signed using the private key. The recipient server can check the signed header against the published public key to confirm that the message was actually sent by the domain owner and has not been tampered with in transit.

Overall, DKIM is an important tool in the fight against email-based fraud and can help to improve email deliverability and security. 

Sender Policy Framework (SPF) is an email authentication protocol designed to detect email spoofing by allowing domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. SPF records are published in the domain’s DNS and the receiving email server checks the SPF records to determine if the email came from an authorized source.

SPF works by verifying the originating IP address of an email with the list of IPs and domains specified in the SPF record of the domain. If the originating IP is not listed in the SPF record, then it is considered as a fake or spoofed email, and it may be blocked or marked as spam.

SPF helps to prevent email phishing, spam, and other malicious activities, and it can significantly improve email delivery rates. However, it is important to note that SPF alone is not a foolproof solution, and it should be used in combination with other email authentication protocols such as DKIM and DMARC to provide better protection against email fraud. 

Privileged access management refers to the practice of providing enhanced security controls for users who have administrative or privileged access to critical systems and sensitive data. This approach helps organizations to minimize the risks associated with cyber threats and reduce the potential for insider attacks or accidental errors caused by privileged users.

With privileged access management, organizations can establish defined workflows and processes for granting, monitoring, and revoking privileged access rights. This ensures that only authorized personnel have access to sensitive data and systems. Additionally, privileged access management solutions use comprehensive analytics and monitoring capabilities to detect and respond to any suspicious activity immediately.

By implementing a privileged access management solution, businesses can meet regulatory compliance requirements and reduce the risk of costly security breaches. Further, automated processes for centralized management of privileged access rights can minimize the labor and administrative overhead associated with manual access management practices. Ultimately, privileged access management can provide an effective security framework for organizations that rely on privileged access across their IT infrastructure. 

DDoS, short for Distributed Denial of Service, is a type of cyber-attack where multiple compromised systems are used to flood a target website or server with traffic, causing it to slow down or crash. This attack can also be used to overwhelm network resources or specific applications.

The main goal of a DDoS attack is to disrupt the normal operations of a system or network, often resulting in significant financial losses and reputational damage for the affected organization. Attackers may use a variety of techniques, including bot amplification attacks, and reflective attacks, to execute a successful DDoS attack.

To protect against DDoS attacks, organizations should implement proactive measures such as network segmentation, traffic analysis, and strong authentication mechanisms. Additionally, deploying DDoS mitigation hardware or outsourcing to a cloud-based DDoS protection service can provide an additional layer of defence against such attacks. Lastly, it is also essential to have a disaster recovery and incident response plan in place.

SQL injection is an attack on a web application that uses malicious code to manipulate a database and steal modify data. This type of attack is possible when a web application fails to properly sanitize user input, which allows attackers to inject SQL commands into the application. Once injected, these commands can be executed by the database, giving the attacker unauthorized access to data.

To prevent SQL injection, developers should implement measures such as parameterized queries, input, and escaping user input. Parameterized queries ensure that user input is separated from the SQL command, preventing injection attacks. Input validation involves checking that user input meets expected patterns and limits. Escaping user input involves encoding special characters so that they are not interpreted as SQL commands.

Preventing SQL injection is critical to protecting data and maintaining the integrity of web applications. As an assistant, it is important to stay updated with the latest techniques and best practices for preventing SQL injection and other security threats.