In the next installment of Cyber Bytes, Tracy Ross speaks to Dr. Michael Ramage, Director of Murray State University's Cyber Education and Research Center, about the latest cyber security guidelines set by the National Institute of Standards and Technology (NIST). Ramage explains that this framework, designed to help organizations more safely communicate and handle cyber security threats, was set in place after a malicious worm virus managed to hack an offline computer in rural Iran.
"Stuxnet was a worm virus that was launched, and when cyber security researchers found it, they noticed it was looking for a computer that was running particular software connected to a particular programmable logic controller in a particular part of the world, and all these characteristics," Ramage explains. The virus was ultimately targeting a PLC (programmable logic controller) controlling a nuclear enrichment facility. The computer in rural Iran was offline until a thumb drive was connected to the machine to install software updates. "When they connected it to that computer, it gave them that worm, it launched the payload, and ultimately, it is believed that the Stuxnet worm set the Iranian nuclear enrichment program back by five or ten years," Ramage says. "If a hacker, an attacker, a threat actor has enough time, money, and resources, they can hack you."
Ramage says the recent updates to the NIST cyber security framework include a greater emphasis on governance. While passwords and other security tools can help prevent cyber attacks, governance provides a holistic approach to cyber security that helps fortify organizations before, during, and after an attack. "If you don't have that holistic view, then we're going to miss something. This new framework says that we've got to make sure that we're planning, governing, monitoring, and we're looking at all of these security tools and techniques and everything we need, processes, and we're doing it in a way that makes sense to the business."
Cyber security guidelines differ from other organizational guidelines like HIPPA in the health industry or FERPA in education. Whereas certain organizations are required to follow HIPPA, FERPA, or similar guidelines and are subject to regular audits to ensure they're falling in line with standard practice, the NIST cyber security guidelines have been historically optional. However, Ramage says that might change from a legal perspective.
"There's not specifically punitive damage for [not following] the cyber security framework," Ramage says. "But what is happening now is if you have my data and you've been the victim of a data breach because you're not doing what you should be doing, you're not following industry best practices, the courts have said you might be liable and open to lawsuit. What some courts have said is if you're following a framework, doing the industry best practices and doing what you say you're doing, then maybe you can be shielded from some of these lawsuits."
Ramage says that Florida has proposed a bill that would protect organizations from liability if they could prove they were following NIST guidelines during a cyber attack. "The point I go back to is the Stuxnet," Ramage continues. "You can be hacked. I don't care what organization you are in this world, if you're the most secure organization there is, with enough time, money, and energy, you can be hacked. So, we can't say that if I put in these processes and tools that we're perfect and safe because nobody is safe. But if we follow these frameworks, then you are doing what the industry says is the best practice, and you're doing what you should to realistically keep your organization safe."
The NIST website offers a complete description of its cyber security framework 2.0, video presentations, comparisons to other global or regional cyber security standards, and a self-assessment that allows users to determine how close their organization is to complying with NIST standards. Ramage encourages anyone interested in learning more about cyber security and how to protect themselves or their organizations to start at the NIST website.
For more information on MSU's Cyber Education and Research Center, visit its website. Read other Cyber Bytes installments here.
