How to use and apply compliance frameworks, written by Cybersecurity Engineer, Brice Dickinson.
The year is 2005, I’m 12 years old, and one day after school, the girl who I had my first real crush on walked by with her walkman (the cd version) and after a horrifically awkward conversation, I finally asked what she was listening to. Without saying a word she put her headphones on my head, hit the previous button on the walkman, and then my ears were assaulted with the now infamous lines, “DON’T WANT TO BE AN AMERICAN IDIOT!” This was the first time I had ever heard punk music and it changed my world forever. Now, while I still love punk and hardcore music, in this article we are going to focus on what many consider to be the antithesis of punk, compliance, and how compliance can help guide your district to a more secure future.
Cybersecurity Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. At face value, compliance may seem like unnecessary busy work or a colossal task that’s just not worth the time and effort. However, compliance when applied properly can be another tool in our tool belt to better secure our districts. The first step in any compliance work is to find out what the district needs to be compliant with based on the industry vertical. Currently, the education vertical needs to be compliant with various laws such as CIPA, FERPA, COPPA, and HIPPA but no cybersecurity compliance is mandatory. This will almost surely be changing because as of October of 2021, President Biden signed a bill that called for a study of the K-12 cybersecurity landscape. After the study, the industry will be able to offer recommendations based on those findings, which undoubtedly means new compliance measures for k-12 institutions.
Breaking Down Best Practices
So with this in mind how can we get ahead of the curve and start the journey of cybersecurity compliance? Instead of reinventing the wheel we can look to some existing frameworks like NIST Standards, CIS Controls, and the relatively new K12 SIX Standards of Practice and see how our districts stack up to each of these frameworks to find both strengths and weaknesses of our current technology environment.
NIST (National Institute of Standards and Technology) is a non-regulatory federal agency within the U.S. Department of Commerce and their cybersecurity framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The NIST standards can be a bit lengthy, so let’s summarize the different sections that are covered. The different sections covered are Access control, Awareness, and training, Audit and accountability, Configuration management, Identification and authentication, Incident response, Maintenance, Media protection, Personnel security, Physical protection, Risk assessment, Security assessment, System and communications protection, and System and information integrity. Multiple controls are then listed throughout these sections that together make up the framework. For a more detailed look at the NIST Framework check out the official v1.1 framework documentation.
CIS (Center for Internet Security) is a community-driven nonprofit founded in the year 2000 and is now globally recognized in best practices for securing IT systems and data. Their CIS controls provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. These controls are laid out through 18 different controls in their latest version, version 8.
These 18 controls are:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email Web Browser and Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
As you can see from this list some several sections and topics overlap with the NIST sections. This is because oftentimes standards and frameworks are “aligned” with other standards and frameworks to build on top of each other. For more detailed information on the 18 CIS controls check out the official CIS Controls List
The K12 Security Information Exchange (K12 SIX), launched in 2020 and is a non-profit that operates as an enhanced information sharing and analysis center (ISAC). K12 SIX fosters collaboration amongst its members to achieve collective defense against cyber threats. Their mission is to help school districts and other K12 organizations, including charter schools, private schools, and state and regional education agencies, to better defend themselves from emerging cybersecurity threats, such as ransomware and phishing attacks. In 2021 they debuted their K12 SIX Essential Cybersecurity Protections for the 2021-2022 school year. These protections are broken down into 4 sections which are Sanitize Network Traffic to/from the Internet, Safeguard Student, Teacher, and Staff Devices, Protect the Identities of Students, Teachers, and Staff, and Perform Regular Maintenance. These sections are then broken down into several different sub controls with each subcontrol being mapped or “aligned” with Both NIST and CIS standards and controls. For more details on this framework visit their website https://www.k12six.org/protective-measures-series and enter your information to access their free documentation.
How to Implement
So now that we have seen some common frameworks and some broader details of what they cover, the question that remains is how do we use them? Let’s walk through an example together using the K12 SIX framework as we can use this framework as a stepping stone into more comprehensive frameworks in the future. Their controls also map to NIST and CIS controls so think of it as a 3 for 1 deal when it comes to compliance. For this example, we are going to be looking at control 1.4 (Section 1, Sanitize Network Traffic to/from the Internet, Control 4, Limit Exposed Services, page 6 if you’re following along at home.)
At the top of the page, they give us a quick explanation of why this control is important. For control 1.4 this reads, “Internet-exposed services, such as remote desktop protocol (RDP), provide a method for attackers to reach inside a school district’s network to create disruption and steal data. In some cases, these services can be vulnerable to attack simply by being turned on.” Underneath the quick explanation is a slightly more detailed explanation of the problem or solution, often with links to other articles or documents that offer an additional insight into the problem or solution. This detailed explanation states: “School districts enable remote desktop access to ensure staff can access critical applications and files off-campus, as well as to facilitate the provision of technical support. A December 2020 joint Cybersecurity Advisory (“Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data”)—coauthored by the FBI, CISA, and MS-ISAC—warned school districts that they ‘frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware.’” Lastly in this top section, is a small box that offers a tip or insight in how to detect or prevent the control. The tip for this control is “Is my school district at risk? Check your firewall rules for services allowing port 3389 (and/or RDP access). Using Shodan (https:/www.shodan.io), scan your public IPs for exposed RDP.” Overall this top section gives us a more detailed view of the control, why it’s a threat, and how we can potentially overcome this threat.
The bottom of the page is where the real meat of the control is located. We are presented with a chart that breaks down the control into a four-scale rubric of At Risk, Baseline, Good, and Better. Here’s what that looks like for this control.
From this table, we can get a good amount of actionable data that we can use to begin to assess our district against this control. The protective measures row gives information on how to implement the control while the impact on users row and implementation costs give us more information on how implementing this control will impact our district and finally, the alignments row gives us information on what other controls from other frameworks this control aligns with.
Now that we have seen what these controls look like it’s time to do the hard part, actually applying the compliance framework to your district. This may seem like an overwhelming task but if we break it down into smaller steps we can begin this journey in earnest. First, look through the frameworks and find one to implement that aligns with your district. (I highly recommend the K12 SIX Essential Cybersecurity Protections as a first framework to implement.) Next, review the controls of the framework so you understand what the goal of each control is. After you review the controls it’s time to assess your district. Go through each control and document how each control is currently implemented in your environment. Once documented see what parts of the control are implemented currently (none, partial, half, full) and set a realistic goal of what it looks like to fully implement that control in your environment. Finally, after all of the realistic goals for your environment have been documented it’s time to start working on fully implementing those controls across your district.
I understand that implementing compliance frameworks may not be on the top of your list of most exciting things to do in 2022, but it can provide an invaluable roadmap to securing our districts now and in the future. So with that in mind let’s get started today and climb this mountain, one foot at a time…or at least one control at a time.
For more information on how you can implement Cybersecurity best practices in your district, contact us using the form below to schedule an assessment to derive your district’s Cyber Score based on 18 key risk categories.