Disaster Recovery Journal Winter 2023

The NIST Framework’s subjective nature highlights why IT solutions do not need to possess every cybersecurity feature. Organizations will likely need to construct a cyber-secure DR solution from multiple offerings, potentially from different providers. This inability to buy a “NIST-certified” solution, the lack of NIST feature check list, and the unlikelihood any such options will emerge dic tates organizations take owner ship of this task. This requires identifying the core capa bilities their cyber-secure DR infrastructure should possess and the products they need to deliver them. Five Cybersecurity Features Available Now The products which offer these features and the role they play in a cyber secure DR infrastructure will vary. However, backup and recovery products already exist which offer five core features organi zations may use to secure their DR infrastructure. These fea tures include: 1. Air-gapped backups . Using this feature organizations may store and manage copies of data in a physical location separate from their primary production location. This feature helps ensure no one can logically or virtually access backups through the organization’s production environment. As the MGM Resorts incident illustrated,

necessary if administrative credentials in the production IT environment become compromised. The media (cloud, disk, tape, or optical) on which backups get stored in another location also matters. It affects the backup data’s availability and integrity as well as an organization’s storage costs and data recoverability. 2. Encrypted backups . More outside the organization to a site they own and control. Known as data exfiltration, this practice has become more common. Once hackers create an offsite copy, they may threaten to release the data unless organizations pay a ransom. Even should organizations pay the ransom, they have few assurances the hackers will destroy the data. Alternatively, hackers may never even tell the organization they stole the data. They may simply exfiltrate the data and use it for their own purposes. Backups often contain much or all organizational data. Further, organizations may not carefully monitor access to their backup. This makes them a prime target for hackers to access and copy offsite in an attack. Encrypting backups mitigates the possibility hackers can read or use the backups, even if they do copy them offsite. Organizations may encrypt their backups using a variety of products. Available on hackers, as part of their attack, first copy organizational data

their journey toward creating a cyber-secure DR infrastructure. However, the NIST Framework only provides organizations with high-level guidance and direction. It does not spell out the specific features or products they need or how to best imple ment them. This creates the following three-fold challenge for orga nizations: 1. The mapping of specific product features to specific NIST Framework boxes is a subjective exercise . NIST leaves it to organizations to map specific product features to the cybersecurity categories in its Framework. Adding to the difficulty, organizations may interpret and understand the components in each category of the NIST Framework differently. This makes mapping specific product features to specific NIST Framework components both a difficult and subjective exercise. 2. No universal, objective NIST Framework feature checklist exists . Organizations cannot acquire a cyber secure DR solution that checks all the boxes in the NIST Framework. They cannot do so because no formal objective checklist exists either in general or for specific products. Adding to the difficulty, a specific feature may map to one, two, or multiple components of different NIST Framework categories. 3. A cyber-secure DR solution may not, and probably does not, need to possess all NIST Framework features .

The NIST Framework for Improving Cybersecurity Infrastructure A cyber-secure DR infra structure requires each tech nology used in creating it to satisfy defined cybersecu rity standards. The National Institute of Science and Technology (NIST) provides organizations with perhaps the best cybersecurity framework for them to reference. The cur rent version 1.1 of the NIST Framework for Improving Critical Infrastructure Cybersecurity has the follow ing five categories: 4. Respond 5. Recover Its next draft, version 2.0, already scheduled for release in early 2024, introduces a new govern category. This category underlies these existing five categories. Each of these Framework categories also contains spe cific components. For instance, the protect category includes identity management and access control; awareness and training; data security; infor mation protection processes; maintenance; and protective technology. Organizations may use these various NIST catego ries and their respective ele ments to aid them in creating a cyber-secure DR infrastruc ture. The Three-fold Challenge This NIST Framework can certainly help organizations in 1. Identify 2. Protect 3. Detect

storing data physically elsewhere may become

16 DISASTER RECOVERY JOURNAL | WINTER 2023