Improving Cyber Security of Internet Web Gateway using NIST Framework

The internet utilization is become more growth for every year where the cyber-attack also taking part into risk in the organization. The existing cyber security infrastructure (Web gateway) shall be replacing to answer adequate of respond to threat, Vulnerabilities or viruses. Therefore, company using NIST Framework. to improving Infrastructure Cyber Security thru identification of risk. The framework will help Company to identify, asses and managing cyber security risk in regards with replacing the old Web Gateway. And future outcomes of the replacement of Internet web gateway shall address the current and future profile and managed security program base on risk evaluation.


Background
The internet utilization is become more growth for every year where the cyber-attack also taking part into risk in the organization. The existing cyber security infrastructure (Web gateway) shall be replacing to answer adequate of respond to threat, Vulnerabilities or viruses. Therefore, company using NIST Framework to improving Infrastructure Cyber Security thru identification of risk. The framework will help Company to identify, asses and managing cyber security risk in regards with replacing the old Web Gateway. And future outcomes of the replacement of Internet web gateway shall address the current and future profile and managed security program base on risk evaluation. According research conduct by ISACA's Cyber security Nexus found that Malware and malvertising threats destructive align with services move from desktop to mobile devices. In 2016 frequency of malvertising will increase by injecting malicious advertisement. In the ICT operation where in 2015 we have experienced incident breach with unauthorized end point which accessing internet from our internal network and introduce many viruses to our system. ICT Department response with policy where all devices which not provided by ICT is prohibit to access internal network and for every contractor in Offshore area the access for internet has revoked. Therefore, virus activity also getting high with introducing by malware from the internet or brought from external storage where users download from outside Office network. After the policy applied many unauthorized devices and users tries to gain access our network and cyber infrastructure by doing password cracking or stealing password using illegal software. Once password is compromise, they shared the account and used together the internet without adequate control mechanism which ICT Department can't see the false or true sessions.
They activity not only jeopardize the reability and integrity of the data or system but also made our network and bandwidth is high utilization. The legitimate users who having difficulties to access the internet as part of the work activity including online training, Online transaction and others information. This paper scope is to improve existing Infrastructure gateway by using NIST framework to made profiling of current situation and future outcomes (expectation) without making changes or evaluate the network environment. The Cyber Security definition is the body of technologies, processes and practices to protect networks, computers, programs and data from attackers, damaged from unauthorized access. How Company managed its Cyber security risk in order to replace the existing web gateway. By evaluate the existing Cyber security profile and establish Cyber Security program to improve cyber security infrastructure

National Institute of Standards and Technology (NIST) Framework
Cybercrime become popular in day to day, every company has force to protect against Malware, Viruses, attacker or unauthorized users or devices for gaining access thru Internet or Internal network. Therefore, many organizations establish IT policy inclusive guidelines and objectives in order to managed and secure they network environment as part of Confidentiality, Integrity and Availabilty, and to govern appropriate usage of ICT resources or to comply with standards or regulations. The Framework from National Institute of Standards and Technology focuses for business drivers to guide cyber security activities and align cyber security risks as part of the organization's risk. The NIST Framework has of three parts such as Framework Core, Framework Implementation Tiers and Framework Profile. Framework Core have five (5) concurrent activities start from Identity, protect, detect, response and recover. The Framework Tiers consist of Tier 1 to Tier 4 which helps Company to consider its current risk management practices, threat environment, legal and regulatory compliance, and organizational constraints. The Framework profile helps Company to evaluate the existing risk profile with target (desire) outcomes based on business needs.
In ISO 31000:2009, Risk Management defined as principles and guidelines for managing risk. The risk management helps company to identify the opportunity and threats and prepare for risk treatment. Identification and evaluation of risk including consequences where likelihood and impact will be quantified into ranking, score or priority. The risk management helps Company to produce better decision or programme in order to mitigate, managed or to improve the business needs. In project management there are several types of risk that shall be effectively allocated with available resources such as Scope risk, technology risk, resources risk, schedule risk, etc.

Improving Cyber security program
This paper using NIST framework to evaluate the existing Cyber Security Profile and future outcomes which represent in replacing the old infrastructure. Scope of NIST Framework only using Framework Core to identify and evaluate risk and gaps. The cyber security program consists of Scope, orientations, creating current profile, conducting risk assessment, target profile and determine, analyze and prioritize Gaps. This program act as continuation of the existing program which required improvement in the cyber security.

Scope
According to ICT Policy, the objective of the CNOOC SES Ltd IT Policy is intended to: • To ensure prudent and appropriate usage of IT and Communication resources.
• To ensure IT and Communication operations as a support function of the whole company operation is carried out in effective, efficient and secure/safe manners.
This Policy inclusive with guidelines to how ICT govern the best way to archives above objectives, therefore control and measurement shall be available such as balance score card. With annual target is zero for security breach. The scope of this program is to improve cyber security infrastructure where lead to zero high incident in replacing the old Internet gateway

Orientation
As data (information) integrity and availability thru protection become Company priority which required from Indonesian government to establish and enforce IT Policy in order to secure the business and Company data (information) against unauthorized users or devices and the event of disaster due to system or hardware failure, viruses attacked , or lacked of control or monitored.

Current Profile
The current profile in improving the cyber security infrastructure in Framework core is Function of Identify with category of Risk Assessment (ID.RA) with aim for organization understands the cyber security risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. With sub category is ID.RA-4: Potential business impacts and likelihoods are identified. The current profile of cyber security infrastructure of web gateway using Bluecoat SG to protect and managed access thru internet, where the configuration is limited and without bandwidth management to managed utilization or priority

Risk Assessment
Risk assessment to overview risk, thread and vulnerabilities of cyber security to get insight about likelihood and impact to the organization as describe on below figure

Create Target Profile
The target profile is to improve consistently of risk assessment about Potential business impacts and likelihoods are identified to provide course of action for ICT Department to minimize the Gap to the lowest / lower level. The future cyber security infrastructure web gateway shall address and have adequate control to eliminate risk. The future system shall

Action Plan
Stealth Password and Malware Infection become high priority in order to mitigate risk, ICT Department convey a security program to protect and socialized and communicate risk management strategy. Protection shall refer to best practice in order to manage legitimated internet session a long with bandwidth management and virus protection. Company also campaign security awareness to assess asset vulnerable and threat of existing services regularly. The end point get the latest update of antivirus and security patch. The number of security breach shall be no more than one (1) incident (High) / annual and recorded into Key Performance indicators. Company also using additional SANS top 20 security control to evaluate and campaign security program

Conclusion
The function of Identify in NIST Core Framework, help Company to portray the current and future profile to minimize the Gap with selective action and program in order to review the cyber security infrastructure, However the IT policy need to establish as preliminary guideline. Below figures the summary of the risk profile capture from the current and future outcomes  Based on our case study CNOOC SES Ltd decide to procure McAfee even though is not in leaders' quadrant by Gartner research, therefore others justification such as of Budget and the experience of managing web gateway previously is primary concern beside ability to solve the