When it comes to the CIA triad, confidentiality generally commands most of the attention. Organizations are worried about the unauthorized disclosure of their data, so they concentrate on reducing the risks of that type of an incident.
In so doing, however, enterprises commonly overlook the other two triadic elements, integrity in particular.
Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), thinks it’s a mistake for organizations to forget about integrity. He feels that way because of how an integrity-related security event can undermine the entire CIA triad:
“If you have a compromise of integrity, it can affect both availability and confidentiality. The malicious code can wreck confidentiality by getting access to things it shouldn’t have access to and seeing things it shouldn’t. Alternatively, compromising key components of a system through an integrity violation can make the system crash and the capability go away. That’s an availability issue. With that said, I don’t think we spend enough time talking about integrity. We’re focused on unauthorized disclosure when in reality integrity is right up there at the top and maybe one of the most important components.”
Integrity-Based Threats on the Rise
Integrity-related threats such as the ones described by Ross aren’t theoretical in nature, either. Attackers are already targeting organizations to compromise their data and system’s integrity.
Take ransomware, for instance. According to a report published by Cybersecurity Ventures, the global costs of ransomware surpassed $5 billion in 2017. That’s a 15 percent increase in just two years. The report also estimates that ransomware attacks will continue to grow by 350 percent annually.
The effects of a ransomware infection or another integrity-related attack on an enterprise’s IT environment can be devastating. It can be even more serious for organizations that maintain the nation’s critical infrastructure. Such an incident can prevent those entities from delivering their work on a timely basis if at all, disruptions which can threaten public safety.
Organizations need to defend themselves against integrity-related threats. To do so, they should consider turning to NIST’s Cybersecurity Framework.
The Gist of NIST
Published by the National Institute of Standards and Technology in 2014, the Framework is designed to help critical infrastructure organizations address pressing digital security challenges in their OT environments. Even so, its common language makes the Framework accessible to organizations in every economic sector. Companies can therefore use the Framework to confront ransomware or other threats and vulnerabilities unique to their industry, all while keeping in line with their respective business needs.
NIST’s Cybersecurity Framework constitutes a risk-based approach by which organizations can accelerate efforts to create a digital security strategy, reduce miscommunications among staff who are involved with security efforts, and heighten awareness of threats across the organization.
That includes awareness within the Board of Directors, as Ross rightly notes:
“A key piece of security is integrity. That needs to be an important consideration at the board level. Once they say integrity is important to this company because they want to protect the company’s intellectual property or want to make sure that intellectual property is not changed or have integrity in the things the company is producing for its customers, those things get conveyed down to the people who are in the operational chain below or the development chain. So if you’re developing a system or a product, that development work has to have high integrity, too, because management wants to make sure that what they’re producing is what the customer gets and they can be trusted to be giving customers what they expect.”
The NIST Framework to the Rescue!
Enterprises can use NIST’s Cybersecurity Framework to protect against integrity-themed threats. They can do so by pairing it with NIST 800-53, the Center for Internet Security’s (CIS) Critical Security Controls (CSCs), and other control sets that enable integrity management, including security configuration management (SCM) and file integrity monitoring (FIM).
They can also use the Framework to triage their systems based upon the types of consequences an integrity-related attack would have on the business.
The Framework facilitates these protective strategies via the following five core functions:
- Identify: Understand the business context and resources that support critical functions as well as their associated security risks.
- Protect: Enforce safeguards to ensure the delivery of a given service.
- Detect: Create activities that can assist in the discovery of a security incident.
- Respond: Develop procedures that can help contain the impact of a security event.
- Recover: Implement measures that can facilitate the organization’s transition back to normal operations after a security incident.
Each of those features allow organizations to strategize against integrity-based threats. They can essentially lay out the foundations for where they want to go. With that groundwork in place, enterprises can then create a security program in pursuit of that goal.
For more information on how organizations can use NIST’s Cybersecurity Framework to defend against integrity-based attacks, download this whitepaper.