Top 50 NIST CSF Tips to Address Remote Work Cyber Risk

Published by Craig Shuster

WFH: More than a Temporary Transition

A number of our clients have asked us how to leverage the NIST Cybersecurity Framework (NIST CSF) to address work-from-home cyber risk. Considering the global prevalence of remote work well into 2021, the concern deserves attention and can easily be addressed in the Axio360 platform. With these continued and dramatic changes in the work environment, it’s more important than ever to be prepared for a complex and expanded cyber-attack surface.

This blog post highlights 50 considerations for enhancing your remote workforce cybersecurity that are mapped to NIST CSF. Keep these considerations in mind as you complete your NIST CSF assessments in the Axio360 Platform. NIST CSF contains 5 Functions, 23 Categories, and 108 Subcategories; the considerations are organized by the NIST CSF Functions: Identify, Protect, Detect, Respond, and Recover and grouped by the 23 NIST CSF Categories.

Table of Contents

NIST CSF Tips by Function

Identify

Protect

Detect

Respond

Recover

How to Get Started


ID: Identify

The first  NIST CSF Function, Identify, drives home the importance of understanding what cybersecurity risks the organization is susceptible to before going about putting protections in place. With more and more endpoints and with many of those now being on employee-provided networks, the risks of data leakage are becoming exponentially higher.

ID.AM: Asset Management

  1. Track assets that are moving off-prem (from previously situated on-prem) in inventories.
  2. Configure, vet, and track new assets that are acquired in response to remote work.
  3. Identify any newly allowed BYODs accessing network (via VDI, VPN, etc.).
  4. Revise processes to provision assets to remote employees.
  5. Track the changes to configuration baselines necessary for remote work.
  6. Create new configuration baselines for new devices acquired for remote work (and track the absence of those baselines for things like BYOD).
  7. Revise processes to configure newly provisioned assets.

ID.BE: Business Environment

  1. Adjust employee onboarding and off-boarding processes for social distance guidelines and travel restrictions.

ID.GV: Governance

  1. Monitor employee absenteeism to ensure that vital cybersecurity processes are appropriately staffed.
  2. Review policies and add any needed deviations to provide for remote work during the emergency.

ID.RA: Risk Assessment

  1. Re-assess risks that have changed or will change as a result of remote work.
  2. Increase the cadence of risk reviews.
  3. Ensure that the organization is collecting new threat data related to threat actors and threat actor campaigns targeting remote workforce or exploiting the current situation.

ID.RM: Risk Management Strategy

  1. Integrate risk assessment and decisioning in your COVID-19 response activities.
  2. Document any significant changes to cybersecurity strategy and program and obtain senior management authorization.

ID.SC: Supply Chain Risk Management

  1. Ensure that critical vendors can continue to support you per agreed SLAs and with remote service as appropriate.
  2. Review pandemic response plans and activities for key vendors.
  3. Increase monitoring on business conditions to identify critical suppliers that may be in financial distress.

Return to Table of Contents

 Axio’s Top 50 NIST CSF Tips to Address Remote Work Cyber Risk


PR: Protect

Once the organization has a grasp of the systems, assets, data, and capabilities in its environment and their associated risks, the next Function, Protect, guides actions for deciding what specific steps to take to protect them.

During the pandemic and lockdown, users have had fewer options for “off-work” hours. This has resulted in an increased engagement across devices and more opportunities for exploitation.

PR.AC: Identity Management, Authentication and Access Control

  1. Make sure that all accounts that are used for remote access have been approved and documented.
  2. Ensure remote access requires strong (multifactor) authentication.
  3. Limit administrative/privileged accounts from remote locations. Instead, authenticate through non-privileged accounts and escalate to privileged accounts internally.
  4. Determine which functions should not be authorized for remote access (i.e., certain operations must be done on-prem).
  5. Document authorization adjustments (when increased access is needed) in order to reverse them when the crisis is over.
  6. Based on the number of people no longer working in the office, tighten physical access to the premises if needed.

PR.AT: Awareness and Training

  1. Roll out specific training for effective, safe, and secure remote work practices.
  2. Launch awareness campaigns for threats targeting remote work (e.g., credential scraping, phishing).
  3. Launch awareness campaigns for threats leveraging the COVID-19 crisis.
  4. Launch training and awareness on secure remote work issues (e.g., who can use company assets).

PR.DS: Data Security

  1. Evaluate data that is moving to unsecured environments or networks (e.g., home networks), and data that can now be accessed from those unsecured environments.

PR.IP: Information Protection Processes and Procedures

  1. Review and adjust security controls and configurations on assets that are moving onto untrusted networks (e.g., home networks) given absence of network security controls.

Return to Table of Contents

 Axio’s Top 50 NIST CSF Tips to Address Remote Work Cyber Risk


DE: Detect

The third NIST CSF Function focuses on the need to be able to effectively Detect when a cybersecurity event may be occurring and know what to look for. The FBI has reported a 400% increase in cyber incidents since March 2020.

DE.AE: Anomalies and Events

  1. Adjust baseline thresholds to reflect the increase in remote work (i.e., what is acceptable, “normal” behavior and access).
  2. Detect behavior that exceeds those new baseline thresholds.

DE.CM: Security Continuous Monitoring

  1. Monitor for approved account access, explicitly noting access from non-approved accounts.
  2. Determine mechanisms to address vulnerabilities (i.e., scanning, patching) on remote assets.
  3. Incorporate newly acquired classes of assets in vulnerability processes.

DE.DP: Detection Processes

  1. Ensure logging provides visibility on endpoints that are remote, the remote connections, and associated activity.
  2. Ensure that monitoring capabilities can be accessed remotely if necessary.

Return to Table of Contents

 Axio’s Top 50 NIST CSF Tips to Address Remote Work Cyber Risk


RS: Respond

The fourth NIST CSF Function is based on the fact that no organization is immune from a cybersecurity event, no matter how proactive it has been; so it is important to prepare to Respond to cybersecurity events.

In the times of COVID 19, ransomware’s latest tactic is a conversion to doxware. The attacker exfiltrates your data and threatens to notify your customers that you have been hacked and that sensitive customer data is being held. So even if you have backups and don’t pay the hackers, your reputation is still at risk. How do you respond properly?

RS.RP: Response Planning

  1. Review and adjust thresholds for incident declaration.
  2. Adjust response team membership to provide additional backup team members.
  3. Evaluate your ability to respond remotely to incidents and adjust plans and technology accordingly.
  4. Ensure that third-party response resources (e.g., outsourced forensics) remain available and can support you remotely.

RS.CO: Communications

  1. Alert the workforce of specific threats due to COVID-19 or other campaigns currently targeting your organization.

RS.MI: Mitigation

  1. Ensure bandwidth availability for remote patching protocols over allowed access paths.
  2. Implement the ability to exclude (or quarantine) assets that don’t meet configuration/security baselines.
  3. Implement the ability to sever connections with remote endpoints that are compromised, without depending endpoint functionality.

RS.IM: Improvements

  1. Update response plans based on lessons learned that can come from responding to events with a remote workforce.

Return to Table of Contents

 Axio’s Top 50 NIST CSF Tips to Address Remote Work Cyber Risk


RC: Recover

Finally, the fifth NIST CSF Function, Recover, helps organizations get back to normal after a cyber event. With a more remote workforce, additional considerations may be necessary.

RC.RP: Recovery Planning

  1. Determine if the DR/BC plans are sufficient or need revision in light of the current pandemic response.
  2. Begin planning the “return to normal” strategy.

RC.IM: Improvements

  1. Revise current business continuity and pandemic response plans with any new lessons learned during this crisis.
  2. Review resources necessary to support the changing program during an emergency, such as a pandemic.

Return to Table of Contents

 Axio’s Top 50 NIST CSF Tips to Address Remote Work Cyber Risk


Getting Started with NIST CSF for Your Remote Workforce

The Axio360 platform is the easiest and fastest way to get started with NIST CSF. With the considerations above, you are well on your way to optimizing your work-from-home cyber program. If you’d like to learn more information and dive into more detail on how to perform a NIST CSF assessment in Axio360, you can book a demo and speak with one of our experts.

 

Axio360 Assessment Dashboard
Axio360 Assessment Dashboard

 

Axio360 NIST CSF Assessment and Target Profile Interface
Axio360 NIST CSF Assessment and Target Profile Interface

 

 Axio360 NIST CSF Roadmap Planning Tool
Axio360 NIST CSF Roadmap Planning Tool

Return to Table of Contents

 Axio’s Top 50 NIST CSF Tips to Address Remote Work Cyber Risk


About the author:  Craig Shuster is Axio’s VP of Cyber Risk Engineering