Category: The Cyberist

Cyberspace, Zero Trust architecture, Trust No One networking, Encryption

Zero Trust is the Way to Go!

If a data breach has occurred, it’s already too late. Data breaches may not cost every company million dollars, but too often extensive and often irreversible damage to their reputation. Recent studies showed after a vendor notifies customers of a breach, one-third of customers said they would no longer do business with that company. With cybersecurity, it is best to be proactive; companies need to protect against cybercrime and data breaches before they happen.

Today, cybersecurity is a $125 billion industry and will be worth $248.26 billion by 2023, and yet regardless of the amount of money spent on preventing them, data-breaches are showing no signs of stopping. There is an absolute need for a new way to approach cybersecurity strategy.

Traditional security approaches, such as firewalls try to create a secure area, but that doesn’t work in a modern setting because of the adoption of cloud software and mobile access, as well as the sophistication of hackers. That means you need to adopt an approach that recognizes the importance of your data everywhere.

That approach is TNO, Trust No One or Zero Trust security. Zero Trust is a set of lenses to evaluate every user, verify who they are, see what data they want to access, and what security state they’re in limiting that access in a way that minimizes the exposure and attack surface, vastly reducing opportunities for bad actors to operate in, from within and without.

Zero Trust operates on three core premises to achieve maximum security:
1) Verify every user,
2) Validate every device, and
3) Intelligently limit access based on users’ specific needs.

Cybersecurity training and awareness alone aren’t enough; it only takes one weak link to compromise access. Companies have to operate on the assumption that hackers can breach their security layers at any given time. Zero Trust embodies this approach; threat, continually limiting access to address that concern, while also not overly burdening users with unnecessary authentication.

According to experts, Zero Trust is the most researched cybersecurity trend, more than biometric data, and more than blockchain. It makes sense. It is catching on. I’ll continue to promote it as one of the best security postures a company can take today.

Start reading here: Zero Trust Networks, by Doug Barth, Evan Gilman, Publisher: O’Reilly Media, Inc. Release Date: July 2017 ISBN: 9781491962183

Cybersecurity Plan

Writing a basic security plan is a must for all businesses, regardless of size. For small businesses, an essential security plan will take a few hours to draft (8 to 10 hours), and write up an inventory list (2 or 4 hours), and after that come up with relevant checklists to update and recovery should take you a few more hours (4 or 5 hours).

Note: Writing relevant information security policies, procedures, and processes draft-documentations to satisfy ISO 27001 requirement is no proportional to the size of your organization and will take a few dedicated days (4 or 5 days), and few weeks to refine.

Here’s how a small business builds its working cyber security plan. Large companies have more complex needs requiring a more sophisticated strategy and beyond the context of this article, contact me with you need assistance with your needs.

You don’t need to be an IT security expert to get the job done. If you can run an application like LibreOffice to edit a document and browse the web, you already know enough to protect your organization at a basic level, no black magic involved. Investing in cybersecurity delivers a considerable return on investment, always. Using the FCC Cyber Security Planning Guide, you can create a simple cybersecurity plan for your organization. The first draft of your cyber security plan doesn’t have to win a Pushcart Prize award, but make sure that it’s not a Flannery O’Connor Award For Short Fiction. It does it need to run hundreds of pages with chapters of fine details. Your plan needs to outline the threats you likely face, establish sound policies, procedures, and processes, with clear responsibilities for taking action.

The best security plans are simple, but they demand that everyone involved be proactive and vigilant about security. Everyone concerned should take note of which policies, processes, and procedures are working and which need to be polished, changed, or just thrown out. It’s all about involving everyone and validating your collective knowledge required to be in charge of your cyber security.

Identify and understand your risk, start by listing all your digital assets, such as emails, work files, financial records, employee information, business and project plans, schedules, clients’ data, contracts, and any other information you want to protect.

Before you can protect anything, it is essential to figure out how to achieve your goals by taking inventory of all your assets that contribute to your business and security. For many companies, this may include objectives such as:

  • Protecting your all your data, like:
    • Customer sales records
    • Customer credit card transactions
    • Customer mailing and email lists
    • Customer support information
    • Customer warranty information
    • Patient health or medical records
    • Employee payroll records
    • Employee email lists
    • Employee health and medical records
    • Business and personal financial records
    • Marketing plans
    • Business leads and inquiries
    • Product design and development plans
    • Legal, tax and financial correspondence
  • Meeting your regulatory and legislative obligations;
  • Show your suppliers and clients that you are proactive with your security, implementing and complying with best of bread standards from the ISO, NIST, and many others.

List your employees and allocate a cyber security task to every person: for example,

  • Responsible for overall cyber security, Information Security Officer;
  • Accountable for all security-led technical changes, the person most comfortable with software and hardware;
  • Responsible for scheduling and managing updates and checks, everyone with a team leader.
  • Moreover, everyone must acknowledge that they are liable for ensuring they understand the risks such as email scam and malware threats, and the need to be vigilant while in cyberspace.

Other things you have to account for with your cybersecurity policies, procedures, and processes like:

  • Accidental damage, like dropping a tablet and breaking the screen,
  • Technical failure, such as the death of a vital server,
  • Natural disasters such as earthquake, flood, and fire,
  • Crime, like, a break-in at your premises,
  • External risks like malware attacks and industrial espionage,
  • Employee negligence, such as unintentional file deletion,
  • Employee misconduct, like, stealing customer data.

Using NIST SP 800-53 R4, Security and Privacy Controls for Federal Information Systems and Organizations you can formalize your security controls to help you manage your risks and figure out which people will manger those risks best. NIST SP 800-53 and ISO 27002 will help you decide everything you need to make necessary plans about how to select controls to mitigate the risks. If you are a Microsoft Windows user, in your efforts to detect, update, recover, and practice safe computing your controls might include things like:

  • Ensure that all our mail gets swept for viruses, archived, and kept secure;
  • Use digital signature and encryption certificates
  • Encrypting and moving your data to a central file server;
  • Stop staff from storing information on their local computers;
  • Backup vital encrypted data every day, with local copies and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Encrypt and store critical customer and business information locally and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Use TNO computing (Trust No One, segmentation networking) where only people working on a given project will have access to that project’s files;
  • Enforce TNO computing and restrict access to business information like clients’ accounts and payroll to need to know only;
  • Set BitLocker or GNU Privacy Guard or AxCrypt on all your computers to protect your data against loss or theft;
  • Security-marking every piece of equipment (PC, server, laptop, tablet, mobile phone, and so on);
  • Have a third party conduct an annual audit of your physical security, locks, and alarms;
  • Update your security policies, procedures, and processes yearly and train all new staff, without exception;
  • Hold a refresher course to ensure everyone in the company is familiar with security policies, procedures, and processes changes;
  • Spot-check regularly to ensure staff take security seriously and follow established protocols.

It’s a reasonably straightforward exercise, but even a basic cybersecurity plan can save you a world of pain. To ensure the integrity of your cybersecurity plan and its policies, procedures, and processes it is wise to employ a third party to audit your cybersecurity as a whole or to merely help you implemented it, documentation, controls, et al.

You will find helpful links in the FCC Cyber Security Planning Guide.

Sources:

Guide to Developing a Cyber Security and Risk Mitigation Plan – NRECA / CRN, https://www.smartgrid.gov/files/CyberSecurityGuideforanElectricCooperativeV11-21.pdf

Cyber Security Planning Guide – FCC, https://transition.fcc.gov/cyber/cyberplanner.pdf (accessed February 18, 2019).

Cyser Security Bulletin T#): Scams And Frauds – US Army, https://www.army.mil.ph/home/pdf_files/Cyber_Bulletin/Cyber%20Security%20Bulleti (accessed February 18, 2019).

Cyber Security Planning Guide – Homeland Security | Home, https://www.dhs.gov/sites/default/files/publications/FCC%20Cybersecurity%20Plann (accessed February 18, 2019).

Attribution and Prosecution

Image result for cyber justice
Justice in Cyberspace

Cybercrimes are on the rise worldwide, and national law enforcement agencies around the world have very little success with arrests and fewer with prosecutions, and no matter the amount of money given the presence of cybercriminals behind bars will continue to prove elusive.

Two of the reasons are attribution and jurisdiction, cybercriminals know this and take full advantage of it.

To put a dent in this trend two things need to happen.

(1) The creation of an International Attribution Consortium[i] consisting of a “broad team of international experts would provide an independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (a) technical experts from cybersecurity and information technology companies, as well as academia, and (b) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academic and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”

(2) For nations to stop the current tendency of using laws (justice system) and enforcement units to advance their political and national interests. Governments need to realize that the prosecutions of cybercriminals in the jurisdiction(s) where the crime was committed benefits all concerns, especially where wanton criminal acts can traverse geographical borders creating economic and political havoc in multiple domains, and jurisdiction gridlock where the criminals are free to repeat their most successful exploits. International law enforcement cybercrime units, like Interpol and Europol Cybercrime Units, need real power to chase and arrest cybercriminals and ensure their prosecutions, hopefully in the most severe dominion.

Sadly, Item (1) is more likely anytime soon than Item (2).

Federal budget: RCMP, CSE to get new cybercrime fighting centres (Note: cybercrime fighting centres are a good worldwide trend currently, but will very little worldwide coordination.)


[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace, Santa Monica, Calif.: RAND Corporation, RR-2081-MS, 2017. https://www.rand.org/pubs/research_reports/RR2081.html

Privacy Information Management System (PIMS)

Help is almost here with the General Data Protection Regulation (GDPR), and other information privacy acts, implementation and confirmation. ISO/IEC DIS 27552 designed to enhance the existing Information Security Management System (ISMS, see ISO/IEC 27000 series) with additional requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). ISO/IEC 27552 provides a framework for Personally Identifiable Information (PII) Controllers[i] and  PII Processors[ii] to manage privacy controls reducing risks to individuals’ privacy rights. It acts as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, requirements and guidelines.

The ISO/IEC 27552 augments the existing ISMS with privacy-specific controls and creates PIMS to enable effective organization’s privacy management. A well thought out PIMS implementation can bring about many potential benefits for PII Controllers and Processors.

First, managing compliance with various privacy regulations and policies from numerous jurisdictions can be burdensome especially when no one organized the laws in a manner to optimize the application of PII controllers and processors. Annex C demonstrates that one single control can account for multiple requirements from the General Data Protection Regulation (GDPR). Using the standard can significantly reduce the complexity in meeting regulations.

Second, the requirement for Data Protection Officers will help provide evidence to senior management and organization board members on their progress in regulatory privacy compliance. Compliance evidence based on PIMS and, potentially, its certification can provide the necessary assurance to senior management and board members that the organization implementation meets the applicable privacy requirements.

Third, PIMS certification can be valuable in demonstrating an organization’s privacy compliance to customers, partners, and authorities. PII controllers generally demand evidence from PII processors that the processors’ privacy management system adheres to required privacy requirements. A consistent evidence framework based on the international standard can greatly simplify such proof of compliance transparency, especially when the evidence needs validation by an accredited third-party auditor. A well implemented and reviewed ISO/IEC 27552 is a necessity for the all-important compliance transparency so critical for an organization’s strategic business decisions such as mergers and acquisitions. It will play a significant role also where multiple organizations develop and implement scenarios involving data sharing agreement. Lastly, certifying an organization’s PIMS can potentially serve to signal trustworthiness to the public.

The standard segregates the requirements into the four following groups:

  • Clause 5 outlines PIMS requirements related to ISO/IEC 27001.
  • Clause 6 outlines PIMS requirements related to ISO/IEC 27002.
  • Clause 7 outlines PIMS guidance for PII Controllers.
  • Clause 8 describes PIMS guidance for PII Processors.

Further, ISO/IEC 27552 includes the following informative Annexes:

  • Annex A lists all appropriate controls for PII Controllers.
  • Annex B lists all suitable controls for PII Processors.
  • Annex C charts ISO/IEC 27552 controls against GDPR.
  • Annex D charts ISO/IEC 27552 controls against ISO/IEC 29100.
  • Annex E charts ISO/IEC 27552 controls against ISO/IEC 27018.
  • Annex F charts ISO/IEC 27552 controls against ISO/IEC 29151.

ISO/IEC 29100:2011 – Privacy Framework specifies a common privacy terminology; defines the actors and their roles in processing PII; describes privacy safeguarding considerations, and provides references to known privacy principles for information technology. You can download a copy of ISO/IEC 29100:2011.

ISO/IEC 27018 presents commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in line with ISO/IEC 29100’s privacy principles in cyberspace (the public cloud computing environment).

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII.


[i] PII controller (or data controller in some jurisdictions) is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. or might be directly or indirectly linked to a PII principal.

[ii] A public cloud service provider is a ‘PII processor’ when it processes PII for and according to the instructions of a cloud service customer. … NOTE Where the public cloud PII processor is processing cloud service customer account data, it might be acting as a PII controller for this purpose.

Semper Paratus

Cyberwarfare and cybercrimes are here to stay, no doubt about that. No matter the size of your network it is imperative to be proactive and prepare for the future. It’s of utmost importance for all organizations to take the necessary basic precautions now to provide defence on what is now the front line of the future.

Risk management is critical to forming the basis of a sound and strategic cybersecurity program for organizations of all sizes. One can accomplish this through an initial risk assessment where one identifies, categorizes, and ranks data according to the perceived impact on an organization should its data be exposed, lost or stolen; you aim to have the basics in place before disaster strikes. For example, at a bare minimum, any organizations should take the following seven steps to protect their data.

All organizations no matter its size should consider the following seven steps to protect their data, supported with standards and guidelines:

1. Set up multi-factor authentication for all users accessing your network, without exception.

  • To help you understand this 2FA’s process, NIST presents a simple primer entitled: Back to basics: Multi-factor authentication (MFA).
  • Further, it serves well to have a copy of ISO/IEC 27001:2013 – Information Security Management System – Requirements. The standard’s requirements are generic and suitable to apply to all organizations regardless of type, size, and nature. They specify how to establish best, implement, maintain, and continually improve your organization’s Information Security Management System (ISMS). More importantly, it provides assessment and treatment methods to tailor information security risks to the organization’s needs. To help implement Item 1, see the following requirements in ISO/IEC 27001:2013:
    • A.9.1.1 – Access control policy
      A.10.1.1 – Policy on the use of cryptographic controls
      A.11.2.9 – Clear desk and clear screen policy
      A.14.1.1 – Information security requirements analysis and specification
      A.14.1.2 – Securing application services on public networks
      A.14.1.3 – Protecting application services transactions
      A.14.2.5 – Secure system engineering principles
    • A.9.1.2 – Access to networks and networks services
      A.13.1.2 – Security of network services
      A.13.1.3 – Segregation in networks
      A.13.2.3 – Electronic messaging
    • A.9.4.2 – Secure log-on procedures
      A.9.4.4 – Use of privileged utility programs
    • A.11.1.2 – Physical entry controls

2. Most importantly, it is critical that you utilized access control to manage who gets access to what data.

  • Consider ISO/IEC 29146:2016 — A Framework for Identity Management. It defines and establishes a Framework for Access Management (FAM) with pointers for the secure management of the processes to access information and Information and Communications Technologies (ICT) resources.
  • Organizations should implement Zero Trust architecture; this network segmentation approach allows an organization to adopt a “verify all” approach to data access.

3. Use encryption to protect data at rest and in the transfer.

4. Enable access to secure, automatic and always encrypted backups (keep Items 1, 2, and 3 in mind).

5. Restrictively manage your vendors and partners accessing your systems.

6. Be sure to develop and implement a well-exercised disaster recovery and continuity of operations plans, and more importantly make sure it includes an alternate location to deliver.

7. Engage cybersecurity frameworks and other regulatory controls to manage and monitor systems.

Reference:

Understanding The Implications Cyberwarfare Has On Your…,  https://forbes.com/sites/forbestechcouncil/2019/01/30/understanding-the-implicat (accessed February 02, 2019).

Take away from US DNI’s report

The Daniel R. Coats, US Director of National Intelligence, Statement for the Record Worldwide Threat Assessment of the US Intelligence Community delivered on January 29, 2019, to the US Senate Select Committee on Intelligence is an interesting read from which we can draw lessons to spur our cyber and information security proactively.

Here are three critical cybersecurity-related takeaways from the report.

1. China and Russia have unprecedented power to target any infrastructure and population. Other, like Iran and North Korea, remain severe threats for cyber espionage leading to financial and supply chain disruptions.

2. Cybercriminals will continue to conduct for-profit, cyber-enabled theft and extortion against any networks endangering economic health and competitiveness essential to many countries’ national security.

3. Cyberwarfare is now part and parcel of most military’s arsenal, and the scale of the threat is outstripping most nations, never mind most organizations’ ability to defend against an act of aggression in cyberspace.

The report’s conclusions apply to just about any nations.

In the face of the current environment in regards to cyber threats, most nations lack a coherent cyber doctrine that a minimum will best defend and minimize damage to their infrastructure. They need cyber policies, procedures, and processes that proactively define their country’s intentions and interests in cyberspace; clearly articulates online actions that they want to encourage and those that they will not tolerate; and at the last recourse develop retaliatory measures to be applied once they achieve a clear independent verifiable attribution.

My take is that ultimately it is unlikely that any one nation or alliances will be able to change their adversaries’ political aims and agenda in cyberspace. Sadly, many will think it is worth the risk of provoking others in cyberspace to exercise their cyber warfare capabilities and extend their reach, especially the big boys like China, Russia, and the United States. Thrown into the mix are smaller nations that will refine their cyber warfare capabilities to augment their security and military capabilities as a more cost-effective way to spy and wage war. Moreover, there is always treachery on the part of unattributed actors such as thrillseekers, rog terrorists, or criminals triggering a cyberwar.

It’s ugly out there, and it is getting frightfully nasty for passive bystanders. Nevertheless, individuals can still be proactive with their security and deflect some dangers.

Bibliography:

Coats, D. (2019). Statement for the Record Worldwide Threat Assessment of the US Intelligence Community January 29, 2019. PDF Available at: https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR—SSCI.pdf [Accessed 1 Feb. 2019].

Coats, Daniel R. 1943- [worldcat Identities], http://www.worldcat.org/identities/lccn-no91-7183/  (accessed February 01, 2019).

M&A Network Security Due Diligence

Everyone knows that merging to companies is all about due diligence! When companies do mergers and acquisitions, most of the due diligence is around financials and legal risks, and in many cases intellectual property, still. What I don’t see is companies focusing on the cyber and information due-diligence by digging deeper into whether the company has a breach or a compromise.

In 2017 Avast had a nasty surprise when it acquired Piriform. Hackers compromised its CCleaner application, which ultimately led to 2.27 million downloads of the corrupt CCleaner version, putting millions of users at risk. In 2018, Marriott merged with Starwood, where hackers had access over 500 million customers’ data because of a security breach on the Starwood’s network.

These will undoubtedly change the merger and acquisition processes from now on, or at least they should. If they included a focus on cyber and information security during their due diligence, I’m sure they would have been able to find at least some indication, that things were amiss.

When merging any two networks, even internal ones, there is a need to catalog and inventory; Open Audit is a good start. Also, the ISO/IEC 19770 Information Technology – IT Asset Management standard series will considerably improve accountability in a trust but verify approach.

In your proactive approach to security download the Network Security Toolkit for best of breed Open Source Network Security Applications to monitor and help secure all the networks before their merger; and make the NST part and parcel of your network security process and procedure. Another good website to visit is INSECURE.ORG; a repository of the top 125 network security tools for vulnerability scan and penetration testing, among many other useful tools and applications to help keep your network secure.

Remember it is an ugly world out there, be proactive with your security, always!

Reference: The CIO’s M&A Blog

Compliance is good for business!

When the EU’s General Data Protection Regulation Experiment (GDPR) went into effect in May 2018, many companies were caught flat-footed. Eight months later, it looks like many organizations have caught up. According to Cisco, around 60% of organizations surveyed have met most or all of the GDPR. A further 30% of organizations are expected to reach the regulations in the next year. That last 10% estimated that GDPR-compliance was more than a year away.

Half a year into the GDPR experiment, and it turns out that following GDPR have a positive effect on improving a company’s data security and resilience in the face of cybersecurity threats.

The GDPR focuses on privacy regulations for companies located in and doing business with the European Union. It imposes strict rules to protect personal information, with hefty fines attached to companies that break the rules. Additionally, it ensures that data breaches are made known to authorities within 72 hours.

A recent study of over three thousand security professionals from Cisco’s Data Privacy Benchmark Survey found that being GDPR-compliant has some positive downstream effects beyond avoiding a costly fine from the EU Commission, like:

  • Enhance Your Cybersecurity (Better data security with better alignment with evolving technologies)
  • Improve Data Management (greater decision making)
  • Increase Marketing Return On Investment (reduce maintenance costs)
  • Boost Audience Loyalty And Trust (Improved consumer confidence)

For clients (consumers) the benefits are also excellent.

  • Right to marketing consent
  • Right to be forgotten (erased)
  • Freedom to change data
  • Right to portability, and of course
  • Right to access

Wow! It turns out the EU regulators knew what’s what!

Reminder: Privacy is personal, meaning something we create for ourselves (which in the natural world we do with clothing and shelter, both of which lack equivalents in the digital world). Privacy is not something supplied by the grace of privacy policies and terms of service that differ with every company, and over which none of us have control.” Doc Searls, editor-in-chief, Linux Journal.

Cyber and Information Security Standards Sources

Here is a list of the significant cyber and information security standards organizations. It is not extensive as many governments now offer cyber and information security portals to attract more awareness to cyber threats, crimes, and dangers. So have a look what your government is providing.

These sites should be in front of your digital Rolodex. These organizations publish materials that will help protect your cyber and information-environments. Additionally, they are a great start in finding the right content in your proactive security knowledge quest.

The International Organization for Standardization (ISO) is a consortium of national standards institutes from 157 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world’s largest developer of standards. Here is a concise list:

  • ISO 15443: Information Technology – Security Techniques – A Framework for IT Security Assurance,
  • ISO-20000: Information Technology – Service Management,
  • ISO/IEC 22301: Societal Security – Business Continuity Management Systems – Requirements,
  • ISO/IEC 27001: Information Technology – Security techniques – Information Security Management Systems – Requirements,
  • ISO/IEC 27002: Information Technology – Security Techniques – Code of Practice for Information Security Management, 
  • ISO/IEC 27031: Guidelines for Information and Communication Technology Readiness for Business Continuity,
  • ISO/IEC 27032: Information Technology — Security Techniques — Guidelines for Cybersecurity,
  • ISO/IEC 27035: Information Security Incident Management.

The entire ISO/IEC 27000 series is of great interest to those who believe to be proactive with their cyber and information security endeavours.

ISO website: www.iso.org

The US National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. The NIST Computer Security Division develops standards, metrics, tests and validation programs as well as publishes rules and guidelines to increase secure IT planning, implementation, management and operation. NIST is also the custodian of the U.S. Federal Information Processing Standard publications (FIPS). NIST best work is its special publications (SP) 800 and 1800 series. The SP 1800 series documents present practical, usable, cybersecurity solutions to the cybersecurity community. These solutions demonstrate how to apply standards-based approaches and best practices. The SP 1800 document can map capabilities to the Cybersecurity Framework and outline steps needed for another entity or organization to recreate an example solution. The SP 800 series present information of interest to the computer security community. SP 800 comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.

NIST website: nist.gov
FIPS webpage: https://www.nist.gov/itl/itl-publications/federal-information-processing-standards-fips
Special Publication (SP) 800 series webpage: https://www.nist.gov/itl/nist-special-publication-800-series-general-information
Special Publication (SP) 1800 series webpage: https://www.nist.gov/itl/nist-special-publication-1800-series-general-information

The Internet Society is a professional membership society with more than 100 organizations and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the internet, and it is the organizational home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). The ISOC hosts the Requests for Comments (RFCs) which includes the Official Internet Protocol Standards and the RFC-2196 Site Security Handbook.

Internet Society website: http://www.internetsociety.org/
IETF website: https://www.ietf.org/
Site Security Handbook, RFC 2196
Users’ Security Handbook, RFC 2504

The Information Security Forum (ISF) is a global nonprofit organization of several hundred leading organizations in financial services, manufacturing, telecommunications, consumer goods, government, and other areas. It researches information security practices and offers advice in its biannual Standard of Good Practice and more detailed advisories for members.

ISF website: http://www.securityforum.org/
The standard of Good Practice for Information Security 2018 webpage: https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/

The German Federal Office for Information Security (in German Bundesamt für Sicherheit in der Informationstechnik (BSI)) BSI-Standards 100-1 to 100-4 are a set of recommendations including “methods, processes, procedures, approaches and measures relating to information security.” The BSI-Standard 100-2 IT-Grundschutz Methodology describes how information security management can be implemented and operated. The standard includes a precise guide, the IT Baseline Protection Catalogs (also known as IT-Grundschutz Catalogs). The Catalogs are a collection of documents useful for detecting and combating security-relevant weak points in the IT environment (IT cluster). The collection encompasses as of September 2013 over 4,400 pages with the introduction and catalogues. The IT-Grundschutz approach aligns with to the ISO/IEC 2700x family.

BSI website: https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html
Technical Publications download page: https://www.bsi.bund.de/EN/Service/Downloads/downloads_node.html

The European Telecommunications Standards Institute is an independent, not-for-profit, standardization organization in the telecommunications industry (equipment makers and network operators) in Europe, headquartered in Sophia-Antipolis, France, with worldwide projection. ETSI produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and internet technologies. ESTI standardized a catalogue of information security indicators (ISI), headed by the Industrial Specification Group (ISG) ISI.

ESTI website: https://www.etsi.org/
ESTI ISI webpage: https://www.etsi.org/technologies-clusters/technologies/information-security-indicators

Here is a list of some government websites related to cyber and information security:

Also, you will find that there are dozens of organizations offering cyber and information security qualification frameworks; have a look here: https://en.wikipedia.org/wiki/List_of_computer_security_certifications.

Never Trust, Always Verify

Zero Trust networking works well as long as you don’t have a traitor inside your network. It is rooted in the principle of “never trust, always verify.” It is designed to address lateral threat movement within the system by leveraging micro-segmentation and granular perimeters enforcement, based on user, data and location.

Use Zero Trust to gain access based on the context for all traffic, across user, device, location and application, plus zoning (segmentation) capabilities for access into internal traffic. To gain traffic access based on context, it needs to go through a firewall and servers environment (applications, services, etc.) with decryption capabilities. The firewall and all servers enable micro-segmentation of perimeters and acts as border control within the organization. While it’s necessary to secure the external perimeter border, it’s even more crucial to gain access to verify traffic as it crosses between the different functions within the network. Adding two-factor authentication and other verification methods will increase the ability to authenticate users correctly. Leverage a Zero Trust approach to identify business processes, users, data, data flows, and associated risks, and set policy rules that can be updated automatically, based on associated risks, with every iteration.

Note, In addition to the micro-segmentation that allows trusting upon verification (do you belong here?), it is best to establish an automated crypto key exchange between every machine on the network based on a recognized (whitelisting) list, no key exchange no interaction. (Best to use OpenBSD, with its OpenSSH, and OpenBSD PF as your netwsork baseline.)

Remember security is not for the passive! It is an ugly world out there, you must me proactive with all your security.