cyber security compliance

dgall

I have been looking into it and you are correct on most everything I see that you wrote. I am not dealing in top secret documents and I am a small business so a few things they are a little more relaxed on I am actually going to take a coarse on cyber security compliance giving by the government in July. I am going to bring in an expert to help I have been told that will cost about 5K not including all the software and hardware I will need to buy. I have to see if my PfSense will fit into this or if I will be upgrading my firewall also.

bmeeks

@dgall said in cyber security compliance:

I have been looking into it and you are correct on most everything I see that you wrote. I am not dealing in top secret documents and I am a small business so a few things they are a little more relaxed on I am actually going to take a coarse on cyber security compliance giving by the government in July. I am going to bring in an expert to help I have been told that will cost about 5K not including all the software and hardware I will need to buy. I have to see if my PfSense will fit into this or if I will be upgrading my firewall also.

Your pfSense hardware is fine. And the software is OK. Where those cyber regulations get you is in the policy area. Lots of fine print in there to pay attention to. All of it is valid and applicable to cyber for sure. I don't mean to poo-poo it, but there is a lot of stuff in there to get straight.

dgall

@johnpoz Thanks for the reply John the kind of work I am looking at local shops are keeping 30-50 people busy all year.

bmeeks

Hiring an expert is a great idea. That person can guide you through the process. Our rules in nuclear were based on NIST 800, but then got modified fairly heavily in an attempt to apply those security controls to power plant industrial control systems. That was a difficult road to navigate for sure! Not having top-secret classification stuff to protect will of course make things a little easier.

dgall

@dgall also John I am using Netgate SG-3100 2.4.4-RELEASE-p2 with 7 computers I am going to upgrade to hardware with a more performance soon my Netgate SG-3100 when barely pushed at all the thermal sensor is in the red and when I set snort IPS Policy Selection on wan and lan to secure my memory usage goes to 100% and slows down to a crawl.

tim.mcmanus

@bmeeks said in cyber security compliance:

I did this type of work in nuclear power stations before I retired. We had very similar rules (and then a bunch more!) to meet. This is a sea of landmines if you have not had special training in the area and have no experience in cyber security. This requires a lot more than just a pfSense firewall. There are requirements for network segmentation and isolation, requirements for portable media controls (USB memory sticks, CD/DVD disks, etc.), requirements for active network monitoring to detect intrusions and a host of policy controls that must be implemented. These mostly involve account management stuff like immediately terminating accounts of employees who leave the company, requiring complex passwords, requiring periodic password resets, restricting access to data based on permissions (meaning using ACLs on files and directories to control access), maintaining documentation of account privileges (who has access to what and why they have it), and on and on and on. Can take a fulltime staff of several folks to keep up with all this and keep a company in compliance.

My advice to you would be to seek out a reputable contractor with experience in this area and hire them to guide you through the maze and get you set up.

Best advice ever!

I too do compliance work as well as audits. Compliance is a maze of things, and if you don't have controls in place, it will cost money to set them up. But I would absolutely hire an expert to help guide you through this and you should also sign up for some compliance coursework too.

dgall

I am bringing in a company to help comply with NIST SP 800-171 from what I am reading and hearing from the experts one of the biggest things on the firewall side along with all the great features PfSense has will be its logging features.
For my company so far it looks like I will have 2 networks with a separate firewall, server, computers for secure documents and software that logs when someone looks at, modifies, copies or deletes a file. All computers on this network will need the USB ports disabled except for the ports for the mouse and keyboard I would like to build a computer without any usb ports but finding a decent motherboard with a PS/2 for a mouse and keyboard is non existent anymore. That is just the few of things on the software and hardware side of it. Consulting for a small company runs between 5K to 8K and thats not including any of the software or hardware.

bmeeks

@dgall said in cyber security compliance:

I am bringing in a company to help comply with NIST SP 800-171 from what I am reading and hearing from the experts one of the biggest things on the firewall side along with all the great features PfSense has will be its logging features.
For my company so far it looks like I will have 2 networks with a separate firewall, server, computers for secure documents and software that logs when someone looks at, modifies, copies or deletes a file. All computers on this network will need the USB ports disabled except for the ports for the mouse and keyboard I would like to build a computer without any usb ports but finding a decent motherboard with a PS/2 for a mouse and keyboard is non existent anymore. That is just the few of things on the software and hardware side of it. Consulting for a small company runs between 5K to 8K and thats not including any of the software or hardware.

It sounds like you are off to a good start. Just as a point of reference, my company spent millions of dollars to get into compliance with the NRC cyber rule for nuclear power plants. To be fair the biggest portion of that was to make some physical design modifications within the plants, but we also spent a lot of money on software and consultants/contractors.

For USB controls you can usually disable the ports, but we were encouraged (maybe strong-armed is a better word) to also use physical port locking devices such as these to further lock down portable media access. Be sure to purchase the proper unlocking key as well. Several companies make this kind of device. Search for USB port blocks.

On the logging side I suggest setting up a third-party SIEM (Security Intrusion and Event Monitoring) system and piping all of the pfSense logs into it via the remote logging features available within pfSense.

johnpoz

@bmeeks said in cyber security compliance:

my company spent millions of dollars to get into compliance with the NRC cyber rule for nuclear power plants.

Yup wouldn't doubt it ;) And don't forget the on going yearly costs to maintain compliance and pass audits... Its by no way a one and done, set it and forget sort of thing... This will be ongoing diligence and upkeep..Its going to be rinse and repeat sort operation.. Better look to bringing someone on staff to deal with it vs just hiring a consultant to get you started. If not multiple people.

Part of the reason you don't see a lot of ma and pop sort of shops doing business with dod and gov is the requirements/costs of doing business with them is not cheap.

dgall

Here is one of the reasons they are doing this https://www.cnn.com/2019/05/02/politics/china-pentagon-report/index.html