2017 Presentation On Managing Risk Using The NIST Cybersecurity Framework – VJ Rao

VJ Presents at the ISACA Cybersecurity conference

Xykon’s VJ Rao frequently speaks about the NIST Cybersecurity Framework.

  • Besides being a critical tool for enhancing enterprise security, NIST Cybersecurity Framework adoption is now a FEDERAL MANDATE based on executive order by President Trump on May 11, 2017.  

Xykon can help your organization become compliant with this federal mandate.

Contact us for more information or if you have questions or comments about the presentation.

You can also view the presentation below.

 


 

View the presentation by VJ Rao – Xykon

Intelligent Websites

A new study was recently released where a neurobiologist, Joshua Rosenthal, showed that cephalopods can rewrite their RNA to meet the demands of their environments.  They are in essence capable of intentionally genetically recoding their DNA.   That is, figuratively, what our websites do: dynamically redesign themselves to fit each individual user’s environment and preferences.

Website Development Over The Years

Around 20 years ago, most public websites were created using static layouts in basic html.

Around 10 years ago, Xykon started designing and developing “fluid” sites.  “Fluid” is how web developer referred to sites that could expand and shrink to fill any screen regardless of the device being used. Fluid was the precursor to the term “responsive web design.”

 Around 7 years ago, the term “responsive web design” was coined as another way of describing fluid websites and fluid web design structure became the new standard for web developers around the world.  Responsive web design (aka “fluid” site development) had been honed to a science and Xykon continued building sites that worked on desktops, tablets, and mobile phones.

Today, designers and developers are pushing the boundaries on customized experiences, but few are marrying security, user experience, and design like Xykon is.

What Xykon Is Doing

Sumati Mathur, Xykon’s President and CEO, had an idea.  Instead of simply crafting sites that looked beautiful, why not build sites that gave users exactly what they wanted?  This wasn’t exactly a new idea.  It was the holy grail for most organizations: show users exactly what they needed to see in order to further mission-related work.  The strategy, technique, and execution, to achieve this, however, was sorely lacking. 

The chief problem was that it was difficult to design a site to appeal to every user.  

The industry-standard solution was to identify a few key target audiences and create an experience that would appeal to those few audiences, and hope to achieve optimal impact.

But what if, Mathur speculated, web applications could tell what unique visitors wanted as soon as they landed on your site?  If web apps could tap that data, then Xykon developers could, through a bit of creative programming rearrange site content and layout to suit each visitor’s unique tastes making each visual and text maximally effective.

Enter User Metadata

Data about online users is collected by an ever-growing number of companies and used to create highly-detailed profiles.  Most users are unaware of these generated profiles until they wander to a new site and are targeted with ads based on their history of online activities.

The same, Mathur, reasoned, could and should be done for organization’s websites and would render these websites much more effective not just in terms of content and design, but also in terms of security. Knowing who the user was, where they were from, what groups they were active participants of, and their general browsing history, enabled Xykon developers to restrict or open vulnerable site features accordingly. 

Xykon began building websites predicated on these ideas and the websites were astoundingly successful.  Analytics showed that these sites had better uptime when targeted by malicious users, better engaged users, and prompted repeat site visits.  These websites also resulted in increased memberships and donations, more loyal followers, and organic word-of-mouth advertising for their organizations.   

Mathur expects to continue honing this strategy of incorporating a 360 degree view of each site visitor into their website design and defense. She believes that adoption of this strategy will one day become standard, ushering in a new era of intelligent web design. 

Website Security Cheatsheet

Thinking about securely managing your website but not sure where to start? There is a wealth of information online. The sheer amount of it, though, can feel inundating and overwhelming. To help, we at Xykon, have compiled a short 10-item cheat-sheet of basic measures that can improve your website security dramatically.

Here’s the cheat-sheet:

  1. Ensure information assets on your website are classified using the same system your organization uses for all assets: If you do sensitive work or have private data (think health information), you need to inventorize and classify them so that you know WHAT you have and what it’s WORTH. Do you have a list of clients that needs to be kept secure? Are there online documents with passwords? How about detailed research about your target customer base? If your organization does not inventorize, value and classify all online assets, then engage a consulting firm like Xykon to conduct a baseline risk assessment so that recommended controls can be established organization-wide. This will ensure that security measures are commensurate with how your organization treats information classification and categorization as a whole.
  2. Perform a risk assessment: It is the surest way to be confident that you know what your high risk areas are. Only once you have identified your high-risk areas can you effectively allocate resources to address them. No organization has unlimited funds to invest in cybersecurity. To help customers invest wisely, Xykon recommends understanding website risk, establishing an acceptable risk level (or risk appetite), and then linking these back to a risk management plan. Xykon specializes in using the NIST Cybersecurity Framework (NIST CSF) which is in turn used to implement NIST 800 and CSC top 20 critical security controls. We also specialize in ISO 27001/27002 and FISMA.
  3. Practice Least Privilege: Least Privilege is the rule that “every process, user, or application can access ONLY the information and resources that are absolutely necessary and nothing more.” Least Privilege involves eliminating unnecessary administrators on the website’s front end and back end. Having only necessary (and trained) administrators reduces the chance of security holes being introduced unwittingly. Observing Least Privilege also requires roles to be clearly defined by allowable actions. For example, common roles like administrator, staff, editor, dues-paying member, or content approver are limited to certain behaviors within the site. A huge advantage of this is that hackers using compromised accounts are also constrained by those same rules.
  4. Implement bare minimum controls: There are ten basic measures that Xykon recommends for all websites, regardless of type of content hosted:
    1. Implement a web application firewall.
    2. Utilize a Single Sign-On system, preferably one your organization already uses.
    3. Separate database and web servers.
    4. Restrict and control remote access to your database and web server by IP and username.
    5. Implement keys in addition to SSH usernames. Use 2-factor authentication for all access, remote or otherwise. Use of VPN for remote access depends on your risk assessment.
    6. Minimum password length of 15 characters. Use the longest usernames that your applications permit.
    7. Implement captcha.
    8. Limit and control file uploads.
    9. Disallow iframes.
    10. Disallow absolute links in code.
  5. Utilize a code versioning system: Disallow developers direct access to production systems and instead have them utilize a code versioning system. Code versioning systems track when a code change is made and what that change is. It is extremely useful for rolling back to clean code versions after security holes or errors are introduced. Xykon uses Bitbucket and Github for managing our client code repositories
  6. Collect detailed logs frequently and consistently: Logs are usually the first tool used by security experts to determine point of entry, trace activity, and draw conclusions about hacker’s end targets. Detailed logs can be crucial to timely recovery. As important as their role is though, most systems are setup with default logging which is often inadequate. Not only should logs be detailed, but they should also be sent to your organization’s log management system or SIEM (Security Information and Event Management) system like Arcsight. If your organization’s logs are not detailed or you do not have a log management system, consult with a security firm like Xykon to assist.
  7. Encrypt using SSL: Ensure the website is only accessible using HTTPS. Prevent any insecure protocols such as FTP or Telnet. .
  8. Implement a CDN ( content delivery network): Funnel access to all website static content through a CDN. In addition to limiting load on the website server, this helps protect against denial of service attacks.
  9. Make backups: Ensure the website can be easily restored by implementing regular backups to a remote location. If your website gets hacked, sometimes the quickest thing to do is to put up a clean copy of your site ASAP. For that, you will need backups – safely stored, and taken at different time periods.
  10. Educate your users and administrators: Your users should know what to do when attackers employ social engineering to penetrate your defences. Social engineering is when attackers directly target individuals with the sole intent of tricking users into installing malware or surrendering their credentials. Yet, sometimes the actual end target may be more than three-times removed from the initial attack. Hire a security firm to train your staff and partners to recognize signs of an attempted or successful attack and to report them to the right people as soon as possible. A consulting firm like Xykon will also ensure your website security training is linked with your organization’s broader security training program.

We hope this has been helpful cheatsheet. As you can see, there are multiple ways to increase web security. However, if you think there is something missing from this short list, please let us know on our contact form. Remember, before undertaking any major changes, do a risk assessment to ensure that you are focusing on the right problems and applying the best solutions.

 

Our Services

From web design and server architecture to communications and outreach efforts, the hallmark of our service is quality and simplicity.

Read More

Google Applications

Google’s cloud computing platform, Google Apps, help businesses improve their collaboration and communication practices.

Read More

Managed Hosting

Tired of the blame game? The buck stops here. Xykon will host your websites, manage your servers (by applying updates and patches as needed), and keep your websites in good health.

Read More

Websites That Work

The difference between a stellar website and a mediocre one may only be skin deep, but when it comes to visitor response, the difference is nothing short of staggering.

Read More

Risk Assessment

If you’re looking to contain risks after the damage has been done, it’s already too late.

Read More

Website Security

Your website is a medium to reach millions of users across the world. It’s your first impression, your virtual storefront, an extension of your brand and your identity. It’s a result of considerable time, effort and financial resources.

Read More

Hardware Installs

In order to better serve our clients, Xykon provides hardware services in addition to application support.

Read More