Part 2: Focusing on Four Areas within NIS2
Duty of Care has no short list of requirements, and no one company can solve every ask in the NIS, but different tools and platforms can contribute. We want to highlight four key areas within the NIS2 Directive: Monitoring of External Encryption Settings, Coordinate Vulnerability Disclosure, Proactive Scanning, and External Surface Auditing. For reference visit The NIS2 Directive
1: Monitoring of External Encryption Settings
What it means:
We are talking about assessing, auditing, and affirming the integrity of how encryption is applied by external third-parties. Imagine a scene where it’s important to verify that the encryption settings on a server are up to the latest standards. When a client/organization connects to the server they can do the right “handshake” using the latest security encryption standards and thereby, are allowed in. This ensures the communication can be encrypted and prevents it from being intercepted by an attacker by mitigating potential vulnerabilities from being exploited.
Duty of Care Requirements Met:
a) Risk Management and Security Policies: If encryption settings are well-monitored there is a reduced risk of breaches during data exchanges.
b) Data Integrity and Confidentiality: The integrity of the data, sensitivity of information, and confidentiality are protected when the right encryption settings are in place.
c) Supply Chain Security: The relationship with third parties is included in the regulation to affirm that external data exchanges meet the required security regulations. It also helps identify the security health of your external vendors.
d) Incident Management: Proactive encryption best practices ensure vulnerabilities are discovered earlier and thereby, can be stopped. Also, response times are faster.
e) Compliance with Reporting Requirements: When external encryption settings are stronger there is a reduction in incident response times. This strengthening helps reduce breaches.
Outcome:
On our side, with Modat, because we do global internet scanning and custom scanning, we can communicate with the server (either within the set frame or broadly) to “do the right handshake” and ensure that encryption settings are properly in place and that the server is up to the latest standards.
2: Coordinate Vulnerability Disclosure
What it means:
When a server is vulnerable it is important to have a Vulnerability Disclosure Policy (VDP). This will allow you to accept information from ethical hackers, like when they find issues in your systems. It is very relevant, as it’s an open vulnerability that can be misused by those hackers with malicious intent. For CSIRTs, it’s important to have a coordinated vulnerability disclosure policy and this is also mandatory in the NIS2 regulation. This helps threat researchers to work with vendors to fix vulnerabilities in software, services and hardware. Disclosure gives the government the ability to unveil vulnerabilities with other CSIRTs and vendors in a safe manner.
Duty of Care Requirements Met:
a) Risk Management: Having a defined Vulnerability Disclosure Policy is a good way to motivate ethical hackers and third parties to report their findings in a structured and responsible way. This ensures better information sharing and can help to arm response teams with information before incidents occur.
b) Incident Response: Faster matters. The quicker that teams can respond, the better the chance of fixing the vulnerabilities and halting incidents.
c) Information Sharing and Cooperation: With coordinated information sharing, multiple organizations and security teams benefit when potential issues are discovered. To build better resiliency, we need to work together in an easier, and more efficient way.
d) Supply Chain Security: Coordinating the vulnerabilities in third-parties is important in the overall supply chain. When there is a clear process in place to disclose vulnerabilities, issues can be discovered and rectified in a timely way.
e) Compliance with Reporting Requirements: A well-structured VDP assures that vulnerabilities are reported within an organization and to the relevant external parties. Therefore, helping to keep everyone informed.
Outcome:
With Modat, when you scan a server and detect the vulnerabilities, it confirms the situation to see if there are issues in your external systems. Why does this matter? It directly helps you to prevent becoming overloaded with disclosures and thus, improve your overall security posture.
3: Proactive Scanning
What it means:
For the running of scans and detecting, this can happen in two ways:
1) Looking for vulnerable assets that are exposed to the internet
2) Scanning for malicious infrastructure and detecting that infrastructure - before it becomes a problem.
If you don’t know what you have you can’t protect against it. For example, perhaps an employee sets up a new server without following company policies and best practices guidelines. This could result in the server missing critical security updates or it may be without network and endpoint protection.
Duty of Care Requirements Met:
a) Risk Management and Vulnerability Assessment: Proactive threat scanning shows how both the regular and automated scanning of networks can help assess for and identify vulnerabilities and risks. By looking for concentrated risks, and having contextual data, you gain better intelligence around incidents.
b) Supply Chain Risk Monitoring: Monitoring third parties ensures there is regular scanning for vulnerabilities. Concentrated risks is important especially when an organization relies heavily on that third-party.
c) Security Audits and Penetration Testing: Having regular pen testing and scans that look for weak points. By being able to simulate potential attacks, it helps to identify where weaker points are before they can be exploited by malicious threat actors.
d) Threat Detection and Incident Response: Organizations are expected to conduct continuous monitoring. This allows them to discover and report on incidents in a timely manner.
Outcome:
Modat’s proactive internet scanning and indexing helps organizations ensure that they are getting contextual data to turn information into intelligence. Thereby, speaking to the defenders and assisting in ensuring proactive security of systems and earlier awareness of possible issues.
4: Auditing the External Surface
What it means:
By broadly looking at the whole external surface, you get a clear picture of what is there. This is done by scanning the assets exposed on the internet and finding out what they are potentially or already vulnerable to.
Duty of Care Requirements Met:
a) Risk Management: Mitigating risk is a primary requirement under NIS2. Overall, organizations need to build better resiliency in their systems.
b) Security of Network and Systems: Thorough audits - for both internal networks and external connections - help detect weaknesses and vulnerabilities in the defenses of systems.
c) Incident Response: Revealing where potential entry points are, helps us to close these off and prevent threat actors from discovering them. An audit of the external surface helps to ensure that these weak points are discovered faster, and incident response times decrease.
d) Vulnerability Management: Looking at the external surface and identifying vulnerabilities before they can be exploited helps to give insight into what is happening and gives defenders a better chance at preventing external surface attacks through these weak points.
e) Asset Management: An inventory of all assets exposed on the internet is relevant so we can be aware of all possible entry points for adversaries. The more current the inventory, the higher the likelihood of being able to prevent attacks and breaches.
Outcome:
Using Modat, it's likely you'll discover assets that you didn’t even know were exposed. In doing so, the proactive nature of the audit becomes increasingly more relevant and helps form intelligence information that contributes to decision advantage.
Next Steps
What does all of this mean? As NIS2 is now in action, it acts as a reminder of the relevance of building cyber resiliency. Being proactive and less reactive is about more than complying with changing legislation, it is about outpacing the adversaries and ensuring we protect our systems and infrastructure.
Duty of Care helps to push the EU toward a cultural shift of proactive thinking. Enhanced regulations will change how businesses and governments look at resiliency. This can create better bridges amongst EU nation states to better communicate and defend against cyber attacks.
We are contributing consciously to help CSIRTs and their organizations get more accurate contextual data which will allow for speedier recognition of and response to incidents and potential threats. This is part of a continuous process to become better aware of our situations and be better prepared for what’s ahead.
------
Links for Reference: