In case you missed it, the Federal Trade Commission (FTC) released a video that explains how companies can leverage NIST’s Cybersecurity Framework and FTC’s own “Start with Security” guidelines to greatly improve security in their organization. In this article, we highlight the five key tenants from the framework and how they could have possibly prevented FTC action and penalties.
First, a very brief overview of the Cybersecurity framework is outlined in Figure A below. The framework is composed of a “Framework Core” as defined by the National Institute of Standards and Technology (NIST) as a “set of activities to achieve specific cybersecurity outcomes, and reference examples of guidance on how to achieve those outcomes.”
The core is nicely organized into five functions or basic cybersecurity activities — 1) Identify, 2) Protect, 3) Detect, 4) Respond and 5) Recover. These functions can be used to organize and group together information that management can use to implement security safeguards, measure progress and prioritize security efforts. You can download the full framework published by NIST here.
Each of the functions are then divided into categories to define more specific security practices and capabilities (e.g., asset management, access control).
Subcategories describe more detailed or technical controls needed to meet objectives within each category. Informative references can be used to refer to industry standards and best practices (e.g., NIST “Special Publications” or ISO 27001 standards).
The FTC emphasizes that the Cybersecurity Framework is not a “one-sized-fits-all” approach to managing cybersecurity risks and is certainly not a checklist. Rather, the framework can be used by businesses as best practices and “common language” to consider when building a cybersecurity program.
It is important to note that the Framework is also closely related to the FTC’s work on data security (see video). For instance, the FTC has undertaken substantial efforts over the past decade to promote data security protections such as:
- Civil law enforcement (see FTC Act Section 5: “Unfair or Deceptive Acts or Practices” as enforcement tool)
- Business and consumer education policies and
- Recommendations to congress to enact new legislation.
So, here are five (5) important lessons learned from FTC’s nearly 60 case settlements and how the Cybersecurity Framework best practices could have helped prevent a negative outcome if implemented:
1) Identify: “Develop the organization’s understanding to manage cybersecurity risk to systems, assets, data and capabilities.”
In two separate complaints against HTC America, Inc. and TRENDnet, Inc., the FTC alleged that the two companies “did not have a process for receiving, addressing, or monitoring reports about security vulnerabilities.” The HTC settlement was the FTC’s first against a mobile device manufacturer and highlighted multiple security practice deficiencies to include: inadequate security and privacy training, lack of testing/auditing of the software on its mobile devices for potential security vulnerabilities, need for secure programming practices, and gap in process for receiving and addressing vulnerability reports from third parties.
Similarly, TRENDnet had faulty software that left them “open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.” As also highlighted in the Cybersecurity framework, the FTC recommended a comprehensive security program to address security risks, patches to address vulnerabilities and also need for third party security assessments.
2) Protect: “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
The FTC settled two similar cases against Accretive Health, Inc. and Cbr Systems, Inc. due to the manner in which an employee laptop and portable storage, respectively, were poorly handled and led to the theft and exposure of personal information. As highlighted in the Framework’s “Protect” guidance, data must be transported securely and use strong encryption controls (such as laptop whole disk encryption or USB password protected and encrypted USB drives or backup media) to protect the data in the event devices are lost or stolen.
3) Detect: “Develop and implement the appropriate activities to identify the occurrence of cybersecurity events.”
The FTC alleged that Franklin’s Budget Car Sales, Inc. allowed the installation of Peer-to-Peer (P2P) software on their network, which led to sensitive data being uploaded to P2P network and the compromise of 95,000 consumer records. These reported deficiencies didn’t align with the Framework’s “Detect” guidance that includes the need for monitoring networks for potential security events or for unauthorized devices, software or user connectivity.
4) Respond: “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
Just last year, the FTC settled a case with Taiwan-based computer hardware maker ASUSTeK Computer, Inc., after ASUS failed to fix a number of critical security flaws in its routers that put hundreds of thousands of home networks and consumers at risk. The complaint also included charges against the ASUS cloud services that led to thousands of cloud-connected storage devices to be compromised and exposed personal data to the internet.
One of the important points to the case, FTC alleges, is the failure of ASUS to notify their customers of the risk of unpatched router vulnerabilities nor did the company address the security flaws in a timely manner.
5) Recover: “Develop and implement the appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired due to a cybersecurity event.”
In the final example, the FTC settled a case with Oracle and alleged the company had deceived consumers about the security update process to its Java Platform, Standard Edition software (Java SE). In short, Oracle failed to notify consumers that the Java SE update only addressed the most recent version of Java, but did not remove the earlier versions. As most security practitioners know, hackers can craft malware to exploit older version of Java vulnerabilities. So it is important to remove legacy/unused software and ensure all software is up to date.
Based on these lessons learned and settlement with the FTC, Oracle since changed its practices by notifying consumers during the Java SE update process if they have outdated versions of the software on their computer (and the risks of not removing older software) and gave consumers an option to uninstall the software.
Each of these five functional areas of the Cybersecurity framework can help organizations with simple, yet powerful security best practices. Just a sample of the related FTC law enforcement cases and settlements also helps provide business owners and operators some good examples of controls needed to help reduce a similar incident in your organization.