Selected Inaugural Providers BH Consulting, KPMG, Optiv and Securosis Ready to Help Organizations Ensure Secure Cloud Implementation Best Practices
SEATTLE, WA – June 5, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the launch and immediate availability of the CSA Global Consultancy Program (CSA-GCP). The new professional services program, developed and managed by the CSA, has been established to support the growing global demand from organizations in need of improved cloud security posture and high standards of compliance and assurance. The CSA-GCP is grounded with CSA’s industry-leading and widely accepted best practices in cloud security and is being offered by a highly-vetted, trusted network of organizations and professionals with the first being BH Consulting, KMPG, Optiv and Securosis.
“For many organizations, adopting the cloud can seem like a monumental task, and it can be difficult to know where to begin as there are too many and often too complex series of business and technology decisions that must be understood and weighted,” said Daniele Catteddu, CTO of the CSA. “The Cloud Security Alliance Global Consulting Program has been created with precisely this in mind and supports our ongoing mission of providing best practices and education for secure cloud computing. These first four program providers are among the most trusted and recognized in the industry and bring with them a broad understanding of the challenges organizations face when moving to the cloud. We are excited and fortunate to have them on board.”
The first four providers making up the initial program network are:
BH Consulting is an independent advisory firm, specializing in information security consulting, ISO 27001, cybersecurity, risk assessment, cloud security, incident response, cloud and digital forensics, and training.
KPMG is one of the largest professional services companies in the world, providing audit, tax and advisory services. KPMG works closely with their clients, helping them to mitigate risks and grasp opportunities.
Optiv is a provider of end-to-end cybersecurity solutions to help companies plan, build and run successful cybersecurity programs in any technology environment, whether on premise, cloud or a hybrid of both.
Securosis is an information security research and advisory firm that has the field-tested techniques, frameworks, and programs to be “more” secure in the cloud than in data-centers, without sacrificing agility.
The CSA-GCP will initially focus on consultancy support in the areas of secure cloud design, cloud architectures, secure cloud implementation, cloud information security programs, cloud assessment and compliance, risk management, and cloud security governance. The following CSA best practices will be included as a reference body of knowledge: CSA Security Guidance, Cloud Control Matrix, Consensus Assessment Initiative, Open Certification Framework and STAR Program, Enterprise Architecture, and Software-Defined Perimeter.
Only organizations with a broad understanding of CSA best practices and values are eligible to be recognized as a qualified source of professional services based on CSA best practices. Provider fees for consultancy work are set independently by each authorized partner and are based on the individual program scope and support required. Organizations interested in working with one of the CSA-GCP providers may visit https://cloudsecurityalliance.org/global-consultancy/#_contact.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.
In today’s climate, it is fully apparent organizations must treat cyber security as a central business priority.
While awareness about cyber security’s importance is spreading among enterprise leaders – and how could it not, given the way cyber threats have dominated many of our recent news cycles? – ISACA’s State of Cyber Security 2017: Current Trends in the Threat Landscape report suggests that the growing awareness must lead to addressing unsettling gaps in many organizations’ security programs.
The report shows that only 53 percent of organizations have a process in place to handle and recover from ransomware incidents – a very concerning statistic, but perhaps one that will change markedly in the aftermath of the massive WannaCry attacks. The enormous scope of those global attacks made it clear that any organization unprepared for ransomware is in need of “a rapid rethink,” as my ISACA colleague, Raef Meeuwisse, noted.
Concerns about the security of Internet of Things (IoT) devices also show no signs of abating. The majority of enterprises said they are concerned about IoT devices in the workplace, which surely factors into the 4 in 5 respondents who consider it likely or very likely that their enterprise will experience a cyberattack this year.
Not all is gloomy – there were some encouraging findings, as well. The State of Cyber Security 2017 report finds that exploits resulting from mobile device loss is down significantly, which aligns with the recent Study on Mobile Device Security from the US Department of Homeland Security, in conjunction with NIST. That report indicates that mobile device security is generally improving, noting, however, that “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”
ISACA’s 2016 State of Cyber Security report showed that 50 percent of the responding organizations had CISOs. This year, 65 percent have them, which reinforces that executive leadership is making security a priority. Still, budgets are not keeping up with the rapidly expanding threat landscape; only half of organizations expect an increase in their security budgets in the coming year, 11 percentage points fewer than those who said they expected an increase in last year’s report.
If enterprises are going to be prepared for the mounting challenges, investing in a strong cyber security workforce is a must. Security professionals must not only be trained, but have their skills developed and refreshed using hands-on technical training and performance-based assessment, which is why this year ISACA developed the Cybersecurity Nexus (CSX)™ Training Platform. This focus on skills development must occur while assuring that professionals understand the nature of the enterprises for which they work.
There is much that must be done – urgently – as ISACA’s State of Cyber Security 2017 makes clear. Consider that fewer than half of security leaders said they are confident in their team’s ability to handle anything beyond simple cyber incidents. In today’s threat landscape, that is unacceptable.
By now, the importance of bolstering cyber security capabilities is clear to all responsible enterprises. The ones who commit to developing a strong culture of cyber security – and providing the resources necessary to build skilled and well-trained security teams – are the ones that will thrive in today’s global economy.
Editor’s note: Current Trends in the Threat Landscape is the second installment in ISACA’s State of Cyber Security 2017 report. The first installment focused on workforce trends and challenges. Both reports are available at www.isaca.org/state-of-cyber-security-2017.
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA’s Board of Directors and group director of Information Security for INTRALOT
In April, a group known as the “Shadow Brokers” released a cache of stolen information that included multiple tools to exploit vulnerabilities in various versions of Microsoft Windows. The most famous of these is an exploit tool called “EternalBlue” which was repurposed to spread the WanaCrypt0r ransomware/worm earlier this month. Another tool released in this dump is “EsteemAudit”, which exploits CVE-2017-9073, a vulnerability in the Windows Remote Desktop system on Windows XP and Windows Server 2003. Both versions of this operating system are no longer supported by Microsoft (XP ended in 2014, Server 2003 in 2015) and as such Microsoft has not released a patch for the vulnerability.
Organizations that still rely on these out-of-date operating systems need to ensure they are defending against exploitation of this vulnerability, as it allows a remote attacker to take control over the system without any authentication.
Palo Alto Networks defends our customers’ systems from this exploit in the following ways:
Traps prevents exploitation of this vulnerability on Windows XP and Server 2003 hosts.
Threat Prevention Signature 32533 released in Content Update 692 detects the exploit in the NGFW.
Organizations that cannot upgrade systems and do not use the protections describe above should consider disabling the smart card module through Group Policy or in the registry.
Exploitation of the vulnerability is complex, but the EsteemAudit tool makes it possible for novices to use it. The remainder of this blog includes a detailed analysis of where the vulnerability exists and how EsteemAudit exploits it.
EsteemAudit Overview
This RDP remote exploit named EsteemAudit uses an inter-chunk heap overflow in an internal structure (named key_set with a size of 0x24a8) on the system heap allocated by gpkcsp.dll, which is a component of Windows Smart Card. In detail, there is 0x80 sized buffer (named key_data) in the key_set structure to store smart card information, after which there are two key_object pointers in adjacent memory. However, there is a call to memcpy in gpkcsp! MyCPAcquireContext with no boundary check, copying the entire user-controlled sized data to the location of 0x80 sized key_data. If the attacker puts more than 0x80 sized data as the source argument of memcpy, the key_object pointer adjacent with key_data will be overflowed. To exploit this, the EsteemAudit code puts the 0xb2-7 size controlled data as the source argument of memcpy, and overflowed key_object pointer with a fixed address 0x080190dc, which is an address of data section of gpkcsp.dll. After triggering the memcpy path to complete the overflow, the exploiter puts user-controlled data in that global variable at a fixed address 0x080190d8 in data section, and then triggers gpkcsp!ReleaseProvider to release the C++ object key_object (call [vtable+8]) to get control over EIP. Finally, the SharedUserData technique is used to call VirtualProtect by syscall with number 0x8f and the first stage shellcode is executed.
Introduction
Remote RDP exploits are the stuff of legend. Fortunately, no public remote exploit for Windows RDP has been available since the NT4/Win98 era. In April 2017, a group using the name “The Shadowbrokers” released an RDP exploit named EsteemAudit which attacks the remote desktop service on Windows 2003 and Windows XP by using an inter-chunk heap overflow in the Smart Card component gpkscp.dll. In this blog, we will first describe some of the internals of remote desktop protocol and mechanism, and then analyze the EsteemAudit.exe itself. Next we will analyze the details about how to deal with the RDP data in kernel and user land, how the inter-chunk heap overflow occurs, and how to exploit this inter-chunk heap overflow to execute shellcode on the vulnerable system. Finally, we will introduce the possible detection methods and how to mitigate this vulnerability without a patch.
Mechanism and Protocol
The full details of how the Remote Desktop Protocol operates are out of scope for this blog, but in this section we’ll describe the components which are relevant to this exploit.
Architecture and Components
The Terminal Services Architecture has four parts: multi-user kernel, the Remote Desktop client, the Terminal Services Licensing service, and Session Directory Services.
The following table describes the Terminal Services architecture components.
Figure 2 Terminal Services Architecture Components – From Microsoft
Nicolas Collignon describes the relationships between these components in his paper named Tunneling TCP over RDP.
In the kernel-land, the relevant component is rdpwd.sys, which is responsible for MCS (Multipoint Communication Service) stack. The RDP PDU (Protocol Data Unit) are parsed and decrypted in this component.
In user-land, the winlogon component is most relevant. It is responsible for authentication of remote client. For example, if the client request a smart card redirection, the winlogon.exe will launch smart card component and communicate with the client.
MS-RDPBCGR is based on the ITU (International Telecommunication Union) T.120 series of protocols. The T.120 standard is composed of multiple other standards, and uses the X.224 standard for transport layer communications. The X.224 standard specified how RDP packets should be encrypted and we can see this in “request PDU” and “confirm PDU” requests.
The encryptionMethods flag in X.224 request in the example below is set to 0x00000012, which represents the client requesting the 128-bit RC4 encryption [128BIT_ENCRYPTION_FLAG 0x00000002] or FIPS[FIPS_ENCRYPTION_FLAG 0x00000010].
After the RDP connection is created, the PDU between client and server will be encrypted with the negotiated encryption method (for example: 128-bit RC4). Below is an example of Client Info PDU.
Figure 5 RDP Client Info PDU
The data included in this PDU is parsed out into the following components:
64 00 04 03 eb 70 81 56 -> PER encoded (ALIGNED variant of BASIC-PER) SendDataRequestinitiator = 1005 (0x03ed)
We can parse the protocol details from plain TS_INFO_PACKET according the format described in [MS-RDPBCGR].
Figure 6 Info Packet Structure from MS-RDPBCGR
Smart Card Extension
RDP has an extension which supports remote client login using a smart card. From [MS-RDPESC], we can find the protocol sequence and details of protocol flow.
Figure 7 High Level Protocol Sequence Diagram from MS-RDPESC
Figure 8 Protocol Flow Diagram from MS-RDPESC
EsteemAudit uses the type of SCARD_IOCTL_TRANSMIT to communicate with the smart card module on the server.
Figure 9 SCARD_IOCTL_TRANSMIT description from MS-RDPESC
As the specification states, the packet returned to a client by the server has a type of Transmit_Return. The specification describes the various fields this packet includes.
Figure 10: Transmit_Return description from MS-RDPESC
The packet sent from server to server has a type of Transmit_Call.
Figure 11 Transmit_Call description from MS-RDPESC
RDP Exploit Client (EsteemAudit.exe)
After understanding the basic knowledge of architecture, components, protocol and communications of RDP, we can look specifically at what the EsteemAudit.exe exploit client does. EsteemAudit.exe is responsible for communicating with the RDP server just like an RDP Client according the RDP protocol. It emulates an RDP client using a smart card, and sends a smart card redirection authentication request to RDP server to force it to handle the data and structure sent by EsteemAudit using the smart card module gpkcsp.dll where the vulnerability exists.
EsteemAudit.exe Overview
After reverse engineering the EsteemAudit binary, we found the exploit-start function named GoRunExp at the address .text:00381009. We will not show the entire function for brevity, and only introduce the main execution flow here.
GoRunExpà InitializeInputParameters //get the config information
à connect2Target
ààinitRDPLib
ààemulateSmartCard
ààconnect2RDP
ààregisterCallback(CallBackFunction)
à RecvProcessSendPackets
à RdpLib_SendKeyStrokes // Sending Space Bar
à RecvProcessSendPackets
à buildExpBuffer
ààbuild_all_x86
àààbuild_overflow_x86
àààbuild_exploit_x86
àààbuild_egg0_x86
ààà//set auth code, xor mask, open payload dll, etc
ààà build_egg1_payloadxxx
à RdpLib_SendKeyStrokes // Sending Enter key
à RecvProcessSendPackets
…
à RecvProcessSendPackets
àà//send smart card authentication redirection request, receive and process the according response, communicate with the server, in the last phase send the ExpBuffer(including overflow buffer, exploit and egg0 buffer) to the server to control the EIP, at last send the end response to server to end the first stage.
àà//to be mentioned, CallBackFunction registered in connect2Target will be called to process the response and prints logs like “SELECT_FILE – GPK Card MF”, “GET_RESPONSE – data unit size”, “GET_RESPONSE – serial number”.
…
We found that after the preparation work including connect2Target and building the exploit buffer, RecvProcessSendPackets is called repeatedly to receive and process the data from the server and send the buffer previously prepared back to it. RecvProcessSendPackets is responsible for all the details of communicating with smart card modules on the RDP server, which we discuss in an upcoming section. However, we will not introduce the details of this function, but focus on what packets RecvProcessSendPackets sends to exploit the vulnerability.
Overflow Packet
When building the overflow packet, there are only two effective fields: a value at the 0x8d offset and a constant 0x9000 at the 0x91 offset, all other fields are random data.
Figure 12 build_overflow_x86 function assembling the exploit packet.
To see the complete data sent by client, we can inspect one of the overflow packets.
Figure 13 Overflow Packet dissected in Wireshark
As described below, after the offset 0x51, the data named TS_INFO_DATA is encrypted. To decrypt the TS_INFO_DATA, we noticed that all of data are encrypted by client with the Libeay32!RC4 function.
We can get the prototype of the RC4 function — RC4(key, len, in, out) by simply debugging it.
Figure 14 Libeay32!RC4 disassembly.
We can then set a breakpoint before and after the RC4 function execution to print the in and out buffers retrieve the encrypted data and decrypted data.
The exploit buffer packet is also a Device Control Response (DR_CONTROL_RSP) with the kind set to DR_DEVICE_IOCOMPLETION (0x49434472). This is the same as the overflow buffer described earlier.
The final two packets of the first stage are the Select_MF and End Response messages, respectively. We only show the decrypted data here.
The length of pExtraBytes is two. Two two extra bytes “90 00” will be processed by smart card module on the Server.
1
2
len
0178cf980000003c
The length of pExtraBytes is 0, it is just an end response. This completes the traffic from EsteemAudit, next we’ll go into how the server processes this data.
RDP Server
With the details on what the client send to the server and the protocol in the encrypted packet out of the way, we can start looking at how the server processes the packet and where the vulnerability is exploited.
Kernel Layer
As described in the Architecture and Component section, we know that the kernel component is responsible for receiving the RDP data. We need to identify the data entry point function that handles the RAW data sent from the client to the server.
Look at the two stack traces below. It directly shows the execution flows when a DEVICE_IO packet arrives. Termdd is the core dispatcher, RDPWD is responsible for MCS stack ad we can get the raw data sent by client from RDPWD!MCSIcaRawInput. The next several functions parsed data layer by layer according to the RDP protocol described earlier.
After parsing the MCS stack, RDPWD will parse the TS_DATA_INFO part. The data in TS_DATA_INFO is encrypted so the SM_MCSSendDataCallback function calls SMDecryptPacket-> DecryptData->rc4 to decrypt the data first.
Figure 19 Decrypting the TS_DATA_INFO data
For those who want to recreated this, you can also set breakpoint in RDPWD!rc4 function which is a similar implementation with libeay32 like we did in the client to see encrypted and decrypted data on the server.
Next, the SM_MCSSendDataCallback function calls WDW_OnDataReceived will handle the decrypted data.
Figure 20 WDW_OnDataReceived Function Call
After this, the function calls termdd!IcaChannelInput to dispatch decrypted data to different channels. In this example, the buffer overflow packet sent by EsteemAudit is the Device IO packet which is a part of File System Virtual Channel Extension and will be parsed by RDPDR module.
We can find the DR_DEVICE_IOCOMPLETION [MS-RDPEFS.pdf] header in the decrypted buffer overflow packet.
In RDPDR module, we can see there is vtable call to recognize the packet and then handle the packet.
Figure 21 RDPDR Module Handling the packet
If the server receives a packet marked as RDPDR_HEADER, RecognizePacket with the appropriate class is called.
Figure 22 RecognizePacket called for RDPDR_HEADER
The buffer overflow and exploit packets sent by EsteemAudit have the 0x49434472 flag set. 0x4472 is used for the Device redirector core component and 0x4943 is used for Device I/O response.
Figure 23 Packet Type Flags from [MS-RDPESP]
After recognizing the packet type, rdpdr!DrSession::ReadCompletion calls HandlePacket to parse the packet. We can see OnDeviceControlCompletion will deal with the header.
Figure 24 Continued Parsing of the RDP Packet
After handling the packet, we can see rdpdr!DrDevice::CompleteRxContext be notified via I/O that we have processed the packet and we can exchange the context. Other modules are also notified and continue to process the left part of the packet, here is pbExtraBytes buffer.
Figure 25 CompleteRxContext Notified of the Processed Packet
User Land Layer
In user land, winlogon.exe calls the smart card modules, like gpkcsp, scredir, and winscard to communicate with the client.
First, we can investigate the stack trace below. It is a stack trace of copying the pbExtraBytes sent by the client from the kernel to the user land. We see the data sent by client flow into the user land on the server.
WARNING: Stack unwind information not available. Following frames may be wrong.
00fcffec 00000000 kernel32!GetModuleHandleA+0xdf
The most important function in user land on the server is gpkcsp!MyCPAcquireContext. It is responsible for sending, receiving and processing smart card packets, and it corresponds to the RecvProcessSendPackets function of EsteemAudit.
Before we start introduce this function, let’s look at scredir!SCardTransmit. This function is called by gpkcsp!DoSCardTransmit and it is a basic unit for sending and receiving the smart card information.
Figure 26 scredir!SCardTransmit Function
We that the 1st argument to _SendSCardIOCTL, 0x900d0, represents SCARD_IOCTL_TRANSMIT, and the data structure of the send and receive buffer fallows _Transmit_Call and _Transmit_Return structure described earlier. After getting the data from the kernel, Transmit_Return_Decode will decode and process the data. Pay attention to scredir!_CopyReturnToCallerBuffer function, it will copy the data sent by client to a global variable 0x080190d8 in data section. This means that the data in buffer overflow packet and in exploit packet will be copied to the address 0x080190d8. That’s why an absolute address 0x080190dc is hardcoded in buffer overflow packet.
Figure 27 Data from the Overflow and Exploit Packets are copied to 0x080190d8.
Now we can introduce the gpkcsp!MyCPAcquireContext function and the whole exploit process. The details for SCardEstablishContext and ConnectToCard are not shown here, but we will introduce what happened when the data in buffer overflow packet arrived.
Figure 28 gpkcsp!MyCPAcquireContext Function
There is global variable named ProvCont which stores a 0x24a8 sized heap address.
0:003> dc gpkcsp!ProvCont (08176dd8)08176dd8 02cdcb58 X…
0:003> !heap -p -a 0x2cdcb58
address 02cdcb58 found in
_DPH_HEAP_ROOT @ 3a1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize – VirtAddr VirtSize)
Figure 29 below graphically shows the data structure of gpkcsp!ProvCont.
Figure 30 Graphical Depiction of the gpkcsp!ProvCont data structure.
After calling DoSCardTransmit to deal with buffer overflow packet and store the data in 0x080190d8, MyCPAcquireContext initialize the KeyData memory (0x80) and copies the data at 0x080190dd with the size in the data sent by client (0xb2-7) to the KeyData memory.
Figure 31 MyCPAcquireContext Initializes data structure and copies data, causing the overflow
Figure 32 below shows how memory is overwritten causing the heap overflow.
Figure 32 Graphical Depiction of the Heap Overflow
The debug log shows where KeyObject object overflows.
0:003> dc 02cdcb58+a0+b8-2002cdcc90 b7314210 544f2b0f 34059cf0 ead224e5 .B1..+OT…4.$..
After KeyObject overflows, we can see how gpkcsp!MyCPAcquireContext deals with the next packets and how the EIP was controlled.
Figure 33 gpkcsp!MyCPAcquireContext handles the subsequent packets
We note that the unsymbolized function sub_8009094 calls DoSCardTransmit and copies expbuffer to 0x080x90d8, which is an always fix address to store any data sent by client without ASLR (Address Space Layout Randomization) on Windows Server 2003.
0:003> dc 080190d8 L1c0/4080190d8 d26ccf61 08011e7a 0801118e 08005e85 a.l.z……..^..
After the exploit buffer is ready, gpkcsp!MyCPAcquireContext processes the ReleaseProvider path.
Figure 34 gpkcsp!MyCPAcquireContext processes the ReleaseProvider path
This will trigger the C++ class vtable call KeyObject->release in the CryptDestroyKey function.
Figure 35 Object is released in the CryptDestroyKey function
The log below show the process from controlling EIP to shellcode execution. The exploit uses the SharedUserData technique to call KiFastSystemCall to execute VirtualProtect and make the memory 0x080180d8 writable and executable, and to execute the shellcode at address 0x08019148. At this point the exploit has completed the first stage.
As CVE-2017-9073 only exists on Windows Server 2003 and Windows XP, both of which are no longer supported by Microsoft, users should first consider upgrading to a newer version of Windows as no official patch is available. However, as this vulnerability exists in the smart card module gpkcsp, there are potential work-arounds.
Do this in the registry: Set/Add key fEnableSmartCard in the path HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ to 0 with the type of REG_DWORD.
Traps prevents exploitation of this vulnerability on Windows XP and Server 2003 hosts.
Threat Prevention Signature 32533 released in Content Update 692 detects the exploit in the NGFW.
Wherever possible, disable or restrict access to RDP from external sources
Conclusion
RDP is a very useful but very complex component of Windows. Based on our analysis of the EsteemAudit exploit, we find that the vulnerability itself is not obscure, but it took quite a bit of effort to write a successful exploit. Interestingly, gpkcsp choose a global variable to store the data sent by the client, it supplies a capacity of controlling the arbitrary data in already-known address in the remote server without ASLR. This is a powerful feature for exploit authors to take advantage of. In any case, EsteemAudit is a reliable and powerful RDP exploit tool for Windows XP and Windows 2003. Users should take steps to ensure their Windows XP and Windows Server 2003 are protected through one of the mitigation steps listed above. A network vulnerability like this one can be used in a “worm-able” fashion, similar to the WanaCrypt0r attacks which had global impact earlier this month.
Picking the right frameworks to support your organization’s governance, risk, compliance and cyber security efforts is overwhelming. Do you pick the most popular framework for each area, or assemble a collection of applicable frameworks that all drive toward a common goal? There are literally dozens of frameworks to choose from, but the common underlying theme is this: create value for the enterprise. A realistic solution is to create a common core governing model that can link to the myriad standards, models and best practices available while meeting stakeholder needs.
As a former CIO of a managed service provider in North America, I’ve experienced the above. Our company provided outsourced IT services to more than 100 client companies, and we experienced some major issues. Chief among those issues was navigating through the multitude of standards, requirements and compliance needs for each of our tenant organizations. Everyone had different needs, and our charter was to satisfy those needs. Enter the growing demand for a strong cyber security program, and the formula became even more complicated.
We had a gap in our framework architecture that was exposing vulnerabilities in our cyber security posture. At the enterprise level, we used the balanced scorecard and COSO to determine the correct balance of performance and conformance, which was good. Now, skip down to the operational level. Here, we were haphazardly applying ‘checklists’ from the various popular frameworks and guidance. These included NIST Special Publications, ISO/IEC 27001, and the CIS Critical Security Controls. As you can probably guess, this is where we became overwhelmed. We had duplicate controls, wasted resources and pressure to meet every part of every security checklist.
There was a gap between enterprise governance and operations; we were missing a vital link. This was the perfect spot to consider the governance of enterprise IT, or GEIT. We needed a mechanism to link the frameworks between the enterprise level and operational level. From our cyber security perspective, we needed this link to be a “framework to manage our frameworks,” and that solution was leveraging the COBIT 5 and NIST Cybersecurity frameworks. This was important because by using risk scenarios as a driver, we could use COBIT and the NIST framework as the critical link, or what I call ‘middleware’ between our enterprise drivers and operational tasks.
This solution allowed our organization to focus our cyber security practices that supported stakeholder needs based on key areas that created value by optimizing our risks and resources. By following the implementation guidance in both COBIT and NIST, we were able to effectively govern and manage our cyber security risks and resources. What were the key benefits to adopting these two frameworks together? Here are the three top reasons for our organization:
Both have solid implementation guidance. Although each framework has a suggested implementation methodology, they are easily mapped to each other and would be best used together for cyber security adoption. The COBIT implementation method offers a step-by-step approach to adopting good governance practices, while the NIST Cybersecurity Framework implementation guidance focuses specifically on the cyber security-related practices.
The frameworks reference each other. Each of these frameworks notes where the other complements them. COBIT refers to the appropriate NIST publications at the process level, and NIST refers to COBIT practices as informative references. This allows for better mapping, reduced duplication, and a broader view of a cyber security program as a part of an overall GEIT initiative.
They both provide a holistic approach. One of the COBIT principles is called “Applying a Holistic Approach,” and focuses on a set of enablers. Think about these enablers as the ingredients to a holistic GEIT program. The NIST Cybersecurity Framework, on the other hand, is what I consider a holistic approach to a solid cyber security program by providing a framework core consisting of five functions (Identify, Protect, Detect, Respond and Recover), and includes activities, desired outcomes, and applicable references.
If you are overwhelmed with all of the cyber security options facing your organization and you’re not quite sure where to start, give this formula some thought. You may find that it is a great way to get a central governing model for your cyber security efforts.
Editor’s note:For more guidance on implementing the NIST Cybersecurity Framework using COBIT 5, view a new ISACA white paper here.