US Homeland Security Releases Self Test For Cybersecurity
Recently, there have been cases upon cases of cyberattacks targeting businesses across the United States. This time, hackers have gone a notch higher to attack more than just private entities. In the recent wave of attacks, ransomware attacks hit government-owned corporations like the Colonial Pipeline, courts, and police stations. Schools have suffered the attacks, and several other small businesses have also been affected by the incidents.
In the wake of the rising cyber insecurity, cybersecurity experts have been working tirelessly to enhance cybersecurity measures. One way they do this is to create cybersecurity assessment tools. Such frameworks help in analyzing an organization’s cybersecurity controls and how effective they are in remediating vulnerabilities.
This explains the existence of the Cyber Security Evaluation Tool (CSET) developed by the United States Department of Homeland Security. The tool provides a systematic process for the assessment and improvement of cybersecurity management systems by asset owners. CSET particularly focuses on the security of information networks and control systems in industrial settings.
Homeland Security has availed the tool for downloading on GitHub via a permissive MIT license, a type of open source license. It can run on Windows with a standalone installer and features a set of basic, intermediate, and advanced questions. The intent is for organizations to use it, focusing on the basics first, then implement the intermediate best practice and advanced sections in the future.
What Cybersecurity Professionals Have to Say About CSET
How functional is the CSET tool for small businesses, seeing that it has a lengthy set of questions? To answer this question, we reached out to cybersecurity professionals to hear their thoughts. Our questions to them were:
- Is this something you find useful?
- Are you going to recommend it to your clients?
We also wanted to hear any other thoughts they have about the tool.
Cameron Call, CISSP, Technical Operations Manager, Network Security Associates, Inc., believes that the tool is helpful. He says that the power behind it is the security standards already freely published by NIST and others. Walking through the standards and answering yes or no would do similar things, except you would not have the graphical presentation for the executives. Overall, CSET will help people who are intimidated by these security standards. One feature he likes about it is that it allows users to merge standards.
In using the tool, Call asks users to be brutally honest when answering the questions. Marking something as yes because they “kind of have it” may create a loophole for an attacker to exploit it. He also recommends they explore other great standards available, such as the ISO 27000 series and CIS benchmarks. It’s also necessary to look at some risk management frameworks available that pair well with the CSET tool.
Not Designed for Small Businesses
Luis Alvarez, the CEO and President at Alvarez Technology Group, says that he looked at CSET when it was announced a few weeks ago. He noticed that, in some ways, it is similar to other assessment tools available for free. For example, it resembles the Project Spectrio for NIST 800-173 assessments needed by government contractors. On the other hand, it is closely similar to some assessment tools available at a cost, for example, CW Identify.
However, Alvarez quickly adds that the big difference is that the CSET tool is best for large organizations with some understanding and sophistication about cybersecurity issues. It definitely would overwhelm a small business or enterprise, he says.
How CSET Works
Once the CSET assessment is complete, it provides a prioritized list of recommendations for enhanced cyber hygiene and cybersecurity posture within an organization. It helps users identify what they need to do to achieve the desired level of security in their ICS of enterprise network within the specific standards selected.
The approach to using the tools entails:
- Bringing together a team of cybersecurity staff, control system engineers, and managers to conduct the assessment using the tool
- Determining the suitable Security Assurance Level (SAL) through a series of questions. The greater the SAL score, the higher the security level and organization requires.
- Depending on the SAL, a list of questions is then generated
- The team will then fill in a form by selecting the cybersecurity standards that apply to their organization. The standards are grouped by industry and purpose. For example, they may specifically be for the transportation, supply chains, or nuclear security sectors.
- The team graphically captures the IT network of the organization through a diagram drawing tool.
- CSET consequently generates a list of questions relevant to the organization, based on the information the team provides.
- Upon receiving responses to the questions from the team, CSET creates an analysis dashboard. This entails a range of reports highlighting any weak areas in the security systems of the organization.
Governments around the world are working hard towards providing cybersecurity assistance to organizations. The primary focus is on organizations considered to be related to critical infrastructure. The CSET tool is one of the exciting examples of what governments are doing to provide such assistance. Critical infrastructure is a significant target area for cybercriminals, and it makes sense that governments are using this approach.
The cybersecurity landscape is constantly changing, with hackers devising new techniques to attack business systems and networks. As such, your organization cannot afford to be complacent about cybersecurity. As part of having a holistic risk management program, it’s essential to incorporate routine cybersecurity assessments. Such assessments allow you to identify the cyber risks that compromise the security posture. This way, you can make more informed decisions on how best to allocate funds for the implementation of controls and network protection.
Unfortunately, your small business may not have the capacity for some assessment tools available on the market today. However, partnering with a trusted managed services provider can help you in this quest. An MSP provides you with comprehensive cybersecurity solutions at an affordable cost. It also provides the expertise required in utilizing such tools. At Ulistic, we are the leading provider of reliable cybersecurity and IT solutions. Contact Ulistic today, and we will help you conduct a cybersecurity assessment of your business systems and networks.