NIST Cybersecurity Framework Core applied to DNS

The National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF) is a de facto security implementation standard not only for the U.S. government, but for organizations worldwide. This framework defines a common lexicon to facilitate documentation and communication of security requirements and level of implementation. In addition, the framework enables an organization to identify risks and to prioritize the mitigation of risks with respect to business priorities and available resources.

NIST’s CSF seeks to facilitate communications within an  organization as well as to external parties when conveying security goals, maturity status, improvement plans and risks. The framework is comprised of three major components:

  • The framework core defines security activities and desired outcomes for the lifecycle of an organization’s management of cybersecurity risk. The core includes detailed references to existing standards to enable common cross-standard categorization of activities. The core defines these activities across five functions: 
    • Identify – deals with what systems, assets, data and capabilities require protection
    • Protect – implement safeguards to limit the impact of a security event
    • Detect – identification of incidents
    • Respond – deals with security event management, containing incident impacts
    • Recover – resilience and restoration capabilities
  • The framework profile defines the mechanism for assessing and communicating the current level of security implementation as well as the desired or planned level of implementation. The profile applies business constraints and priorities, as well as risk tolerance to the framework core functions to characterize a particular implementation scenario. 
  • The framework implementation tiers define four gradations of maturity level of security implementations, ranging from informal and reactive to proactive, agile and communicative:
    • Tier 1 – Partial – Informal, ad hoc, reactive risk management practices with limited organizational level risk awareness and little to no external participation with other entities.
    • Tier 2 – Risk Informed – Management-approved with widely established organization-wide risk awareness but with informal and limited organization-wide risk management practices and informal external participation.
    • Tier 3 – Repeatable – Risk management practices are formally approved as policy with defined processes and procedures which are regularly updated based on changes in business requirements as well as the threat and technology landscape. Personnel are trained and the organization collaborates with external partners in response to events.
    • Tier 4 – Adaptive – Organization-wide approach to managing cybersecurity risk where practices are adapted to the changing cybersecurity landscape in a timely manner. The organization manages risk and shares information with partners.
The implementation tiers enable an organization to apply the rigor of their selected maturity level to their target profile definition to align risk management practices to the particular organization’s security practices, threat environment, regulatory requirements, business objectives and organizational constraints.

We defined a mapping of the NIST CSF version 1.0 to DNS-specific outcomes in our DNS Security Management book, which I co-authored with Michael Dooley, as published by Wiley IEEE Press in 2017. I've updated this mapping to apply to the latest version 1.1 of the CSF. This mapping is intended as input to your application and interpretation of the CSF for DNS and any feedback is welcomed. I hope this helps you assess your current standing and to prioritize actions towards securing your DNS with this de facto security standard as a guide.

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue.
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned
Read more