{"id":52558,"date":"2023-06-29T00:00:00","date_gmt":"2023-06-29T00:00:00","guid":{"rendered":"urn:uuid:2b201d74-5aa0-66b2-e3ed-10629ad8fba5"},"modified":"2023-06-29T00:00:00","modified_gmt":"2023-06-29T00:00:00","slug":"meet-nist-compliance-standards-using-automation","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/meet-nist-compliance-standards-using-automation\/","title":{"rendered":"Meet NIST Compliance Standards Using Automation"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Along with three service models:<\/p>\n

    \n
  1. Software as a service (SaaS)<\/li>\n
  2. Platform as a service (PaaS)<\/li>\n
  3. Infrastructure as a service (IaaS)<\/li>\n<\/ol>\n

    And four deployment models:<\/p>\n

      \n
    1. Private<\/li>\n
    2. Community<\/li>\n
    3. Public<\/li>\n
    4. Hybrid<\/li>\n<\/ol>\n

      Who has to comply?<\/b>
      While, for those in private sector, NIST compliance isn\u2019t mandatory, all federal government agencies and their federal contractors (and subcontractors) working with government data are required to comply. The root this can be drawn to the Federal Information Security Modernization Act of 2014 (FISMA)<\/a>. Since then, US government agencies and their contractors have been required to implement \u201ceffective information security programs\u201d that include risk management, security governance, security evaluation and testing, and incident response capabilities.<\/p>\n

      While, according to (ISC) \u00b2<\/a>, the global cyber workforce gap increased by 26.2% in 2022, it\u2019s no secret that there is a significant knowledge gap between organizations when it comes to securing high-value assets. This is often because security laws and regulations have been implemented, but many fail to tell you how to be secure. NIST aims to eliminate these gaps by providing detailed guidance, no matter the industry or organization size. That\u2019s why many companies have voluntarily started leveraging NIST guidelines and standards to implement, manage, operate, monitor, and improve their security programs for a stronger defense posture.<\/p>\n

      NIST in action<\/b>
      Since NIST is more of a guidebook than an actual law, one cannot accurately say a breach occurred because the organization didn\u2019t follow NIST. But, if you look at the cause of breaches, you\u2019ll recognize how leveraging NIST could\u2019ve led to a better outcome.       Intel<\/a> recently implemented the NIST framework voluntarily, reporting that “the Framework can provide value to even the largest organizations and has the potential to transform cybersecurity on a global scale by accelerating cybersecurity best practices”.<\/p>\n

      However, all organizations don\u2019t have the same level of insight. Here are some recent breaches that could\u2019ve used a little help from NIST:<\/p>\n

      Meta<\/b>
      The 2021       Facebook data breach<\/a> resulted in mobile numbers and email addresses of 533 million users being exposed and posted on a popular hacker forum. Facebook responded that it was not a cause for concern because the breach occurred in 2019, which is actually more<\/i> concerning.<\/p>\n

      The fact this breach happened two years ago brings elements #4 and #5 of NCF into the conversation. Facebook claims they \u201cfound and fixed\u201d<\/a> the issue in August 2019, but since then they\u2019ve experience similar email\/phone number breaches in September and December 2019<\/a> and early 2020. Also, Facebook did a poor job on the recovery front\u2014as the scraped data went on to be exposed nearly two years later.<\/p>\n

      Estee Lauder <\/b>
      The cosmetic giant exposed more than       440 million data pieces<\/a> due to an unsecured database, as there was no password protection in place. Estee Lauder could have avoided this breach by following NCF element #1 and identifying which systems need to be protected, while working toward a more secure and protected infrastructure.<\/p>\n

      U.S. Cellular <\/b>
      In       January 2021<\/a>, threat actors targeted retail employees of the fourth-largest wireless carrier in the US. Through an undisclosed method, cybercriminals were able to trick employees into downloading malicious software. This allowed them to gain remote access to the company\u2019s customer relationship management (CRM) software and company devices containing records for nearly 5 million customers<\/a>. Luckily, U.S. Cellular detected it just two days after the attack. While many believe that breaches only take place on servers, it nonetheless shows that the human attack vector needs to be secured as well. This demonstrates the importance of NCF element #1\u2014security isn\u2019t just about configurations, it\u2019s also educating employees on the signs of a potential scam.<\/p>\n

      Why does this matter to you?<\/b>
      It\u2019s your responsibility to safeguard your organization\u2019s assets against security breaches. Employing a       zero-trust approach<\/a> paired with regular backups and cultivating an organization-wide cybersecurity culture to security are the first steps towards employing NIST compliancy.<\/p>\n

      Many U.S. organizations have been taking a federal-first approach<\/a> to compliance. As the federal government is a prime target for today\u2019s most advanced cyberattacks, implementing government standards will ensure that any lesser requirements will also be covered.<\/p>\n

      Thanks to automation, leveraging NIST and meeting compliance regulations doesn\u2019t have to be as time-consuming or complicated as anticipated. Automating security scans for misconfigurations saves cybersecurity teams time from manually scanning and reduces the chances of breaches caused by human error (the #1 cause of cloud misconfigurations<\/a>).<\/p>\n

      Automate and accelerate your audits with Trend Micro Cloud One\u2122 \u2013 Conformity<\/b>
      Automating security audits allows your IT teams to work at lightning speed while meeting business\u2019 compliance needs. Conformity provides your team with:<\/p>\n