What Is NIST and Why Should You Care About It?

Dave Hodgdon and Steve Ripper from Portsmouth Computer Group (PCGIT) discuss NIST, the National Institute for Standards and Technology and why you should care about it.

Mike: And the Morning Information Center, all powered by Portsmouth Computer Group, with convenient locations in Portsmouth and Dover, now of course Manchester, Portland, Maine. For world class IT service and customer support go to pcgit.com. Our tech tip of the week, brought to you by Portsmouth Computer Group. Our good friends, Dave Hodgdon, and Steve Ripper, once again, remotely from an undisclosed location. Gentlemen, good morning to you. Welcome. How are you?

What is NIST?

There’s a term that you guys are going to talk about today. N-I-S-T, NIST. It stands for the National Institute for Standards and Technology. What is that, and why should I care about that? Or why should anybody care about that?

Steve Ripper: Yeah. So why… You know, in computers, Mike, we have all these three and four letter designations. We love them, right? We’re always throwing letters at you.

Mike: Mm-hmm (affirmative).

What Does NIST Do?

Steve: So why do you care about this one? That’s the organization that provides the framework for all the security that we do. So when we talk about the security things, we have to have a process that we follow. Think about Miranda rights and things like that, that the police follow. They have rules and they have a list that they go through to make sure that they’re getting it right.

Mike: Hey, listen-

Steve: That’s what NIST is for us.

Mike: Steve, I haven’t heard the Miranda rights in quite a long time.

Steve: Yeah, no, that’s good, right? So hopefully no one listening out there had to hear the Miranda rights. Hopefully the closest they’ve gotten to them is on TV, right?

Mike: Yeah.

Steve Ripper: But the NIST is like that for us. It’s a list of terms and steps that we follow when we’re doing security for you, when we’re thinking about how we’re going to protect you, your company, your data, your online identity, all of those things. We have to have a framework for how we do that.

Mike: Sure.

Steve Ripper: Because we can’t just make it up. And we can’t have several companies… You know, Amazon can’t make up their own rules, and IBM make up their rules, and PCG make up their… We all have to kind of follow a standard. So that’s what NIST is.

Framework of Company Security

Mike: So Dave, this framework is important? This is all part of company security?

Dave Hodgdon: It is. It’s the framework. As he says, it’s the pillars of what you, as an organization, a practice… A lot of companies, manufacturing, professional services, have to follow these NIST practices in order to be giving out grants, in order to do work for the government. And again, it’s just as Steve said, it’s the framework. The framework is key. And it has the five key categories. We want to go over that with you.

Mike: Yeah, so what are those five framework categories that people should be aware of?

Dave: I’ll start with the first one. But again, these are the steps that you’re going to go through, your security. The first big one… I always talk about the house here, you kind of think about this. But the first one is to identify, what do we need to protect? What assets, what risks? And a PCG can help you do a risk assessment and get a baseline of where your company stands.

Mike: Okay.

Dave: The next one is to protect. What are you going to do to protect your house? From this standpoint, you may put a fence around your house, you might have an alarm system. But you have to have various permissions and maintenance and training. Anything else on that one, Steve?

Steve: Yeah, no, you got that one. So again, this is like the playbook. That’s what we’re describing. You guys, we’re playing from a playbook of what we’re going to do, so we don’t miss any steps. You know? So under protection this is things like, are we keeping your servers up to date, right? So that’s going to protect you going forward from being attacked or hacked or anything else like that.

The third category is detect, or detection, okay? It’s really an important one. This one you see every day. If you sit at your computer, you should have antivirus in the lower right corner of your Windows machine. Antivirus is part of detection, right? Intrusion prevention on your firewall. Scanning. If you were to call us or you call a security company to do a scan, for the accounting people out there who have to have PCI compliance scans…

Mike: Right.

Steve: That’s who we’re talking about, detection. We’re detecting if there are any problems? Or are there viruses? Or is there somebody hacking into the network? That’s what we’re talking about there.

Mike: I see, okay. And what else do we have on that?

Dave: Next section would be response. You know, how are you going to respond. So if an event happens, what are you going to do as a team? So we always recommend that your team gets together if something happens. We’ve always talked about ransomware. If it actually happened, how will you respond? You’re going to contact the PD, you’re going to contact the FBI, you’re going to contact your insurance. But you want to make sure what’s in place, how are you going to deal with it, how are you going to mitigate it, figure out what went wrong, how are you going to clean it up, and how are you going to prevent that again.

Mike: Alrighty. And Steve, what’s the final one.

Steve: Yeah. So the final one is recovered. Okay, so what are we doing to recover from this? We’ve detected somebody, or we figured out there’s a virus in there. We’ve responded to it. Okay, how are we going to recover from it? Are we going to get your data back from tape? We used to call it tape, from a backup.

Mike: Yeah.

Steve: Okay, what are we fixing? Okay, how did they get in? How did this happen? So we need to fix those security flaws so we don’t have any other problems going forward. And then we’re going to have like a continuity plan, right? So that we can… And NIST is how we approach this. The business continuity plan is how each individual company applies it, and how we help them apply it.

Mike: I see, okay.

Steve: So those are basically the five steps.

Mike: Let me ask you this. Steve, you mentioned something about, in one of the steps, you talked about server updates, how important that is. When someone needs to update servers for instance, in their system, what does that actually mean? When you update a server, what do you have to do to do that?

Steve: So there’s two parts to that, Mike. The hardware itself, if you have a hardware server.

Mike: Okay.

Steve: Okay. So if you have an HP server or a Lenovo server, there are going to be updates for the hardware that’s inside of it. Typically we call that firmware, right? So we’re going to do firmware updates, maybe the RAID card, or the motherboard, or the hardware.

And then there’s also the software, right? So most servers that PCG would deal with are Windows servers, right? So Microsoft is going to put out patches for those Windows servers.

Mike: Gotcha.

Steve: It should happen automatically, Mike. But if it doesn’t, and somebody’s not watching it, they can lapse. And if they lapse, then that’s the security flaw. And that’s where we try to catch that, in these steps that we’re talking about.

Mike: Dave, you’re very highly recommending that companies follow the National Institute for Standards in Technology, right? You’re highly recommending that?

Dave: Absolutely. As we said earlier, it’s the framework. We’ve been preaching this, the security the whole time. Again, it’s just a standard list. We’ve always… Kind of like following, you’re driving, you’re following the rules to the law. You’re following the speed limit. There’s rules. As you engage, you drive. You know, every time you leave the driveway, you should be following the rules. It’s the same thing within your computer system, as far as IT. And it’s allowing you and your company to stay compliant, to be open for those jobs or bids, because they’re going to ask if you’re NIST compliant, and it’s showing that you’re truly trying to honor those rules and follow it to the best of your ability to be secure.

Mike: So it really affects kind of a reputation for a company as far as vendors go. Correct?

Dave: Absolutely. That’s a huge point, Mike, right there. And a lot of times they’ll promote it on their site that they’re NIST compliant. That shows that they want to minimize their risk.

Mike: Gotcha, yeah.

Dave: That they have a good security posture. And especially, many manufacturers are doing work for the government and stuff. I mean, you got to have some form of clearance. You need to play by the rules.

Mike: So let me ask you this. Dave and Steve, do you find that a lot of companies are not NIST compliant?

Dave: Many.

Steve: Yeah, many are not.

Mike: Many are not.

Steve: Many are not.

Mike: Okay.

Steve: Many necessarily may not need to be, to be able to have the certification, where they have the credential, Mike.

Mike: Right.

Steve: But we would apply this at all times. Just like you don’t really… The rules of the road apply all the time, no matter what you’re doing.

Mike: Sure.

New NIST Rules

Steve: So that’s how we view the new NIST rules as well. They apply all the time, whether you’re a three person company or a 300 person company, it doesn’t matter. You need to be saying, “What machines do I need to protect? What do I need to protect? Where’s my data?” You need to protect it. You know, you need to be maintaining, you need to be training your users. You need to be putting anti-virus in places. You need to have a plan if something goes wrong, that’s where the response comes in. And you need to have backups for the recovery so that you can just get back up and going, and just not have your business fall apart.

Mike: Wow.

Steve: Basically you’re following all those rules, no matter how big or small you are.

Mike: NIST! Yeah.

Dave: You got to realize, Mike, that you’re dealing with data that’s sensitive. You are collecting data information about many people that you’re working for.

Mike: Right.

Dave: And that data is sensitive. You know, just think about the medical, what they all call HIPAA compliant, that you need to follow those rules of engagement. You know, even though you’re medical, you’re still following this from the security standpoint. But you are sitting on everyone’s data, and if there’s a breach there’s a risk there, and that’s going to affect your business, staying there for the long term.

Mike: I like it. NIST. I learned something new. National Institute for Standards and Technology, and companies should follow that NIST standard. Any final words today, Dave?

Dave: Just have a great week. We’re almost in June right here. But if you want to see if your company’s NIST compliant, give us a ring at 431-4121, or visit us at pcgit.com. We can do a risk assessment and see where you guys stand and help you out.

Mike: All right. Dave Hodgdon, Steve Ripper from the Portsmouth Computer Group here in Portsmouth and Dover, now of course Manchester, Portland. You can check them out, pcgit.com. Always great to talk to you guys on Tech Tuesday. Have a great week. We’ll talk to you next week, and thanks for joining me today on WTSN Radio. Do appreciate it, guys. Have a good one.

Dave: We’ll see you in June.

Mike: All right.

Steve: Bye, Mike.

Mike: Bye bye, guys.

7:53 on WTSN. NIST! There you go. National Institute for Standards and Technology, and it seems to be very important that companies follow the NIST standard. You can call Portsmouth Computer Group, they can find out if you are NIST compliant: 431-4121.