MyShare Logo
Mr GM
Mr GM
11 months ago -

📚 NIST SP 800-18 Rev. 1 - The Ultimate Guide sa Paggawa ng Security Plans 🔐💾

Kung may “Recipe ng Crabby Patty” ang mga cybersecurity peeps pagdating sa paggawa ng System Security Plan (SSP), eto na yun — NIST Special Publication 800-18 Revision 1.
Parang Dungeons & Dragons Player’s Handbook, pero imbes na dragons, ang kalaban mo ay hackers, malware, at misconfigurations. 🐉➡💻
💡 Ano nga ba ang NIST SP 800-18 Rev. 1?

In short, ito ay official guide ng National Institute of Standards and Technology (a.k.a. NIST) kung paano gumawa ng Security Plans para sa Federal Information Systems.

Think of it like a recipe book — pero instead of cookies, ang gagawin mo ay document na kayang ipasa sa audit at makaligtas sa cyber attacks.

May template, may step-by-step, at may best practices para walang butas ang security mo.

🛠️ Mga Core Concepts (a.k.a. Cheat Codes)

1. System Boundaries
Para kang gumuguhit ng mapa ng base mo sa Starcraft. Kailangan alam mo lahat ng servers, apps, devices, at kung paano sila nag-uusap.

2. Security Controls
Ito yung mga “defense towers” mo. Encryption, firewalls, access control — lahat documented, kasama paano sila ini-implement.

3. Roles & Responsibilities
Sino ang Tank, sino ang Healer, at sino ang DPS sa cybersecurity team mo. 😆

4. Compliance Evidence
Parang receipts mo sa Shopee — proof na ginawa mo talaga yung sinabi mong ginawa mo. Logs, screenshots, audit trails.

5. Maintenance & Updates
Hindi pwedeng “set and forget.” Lahat ng systems may patching schedule, review dates, at update logs.
🖥️ Example: Kung OSI Model Gamer Ka 🎮

Let’s say federal system na may:

Layer 1: Physical servers in a gov data center

Layer 3: Private IP ranges + segmentation

Layer 7: Web portal with MFA + TLS encryption

Sa NIST SP 800-18, idodocument mo yan lahat, with diagrams, security policies, at kung anong controls ang meron.
📦 Bakit Importante?

Audit-ready ka lagi – kahit biglang may compliance check, goods ka.

May playbook ka – kung may incident, hindi ka nagpa-panic, may guide ka na.

Less drama – kasi malinaw ang roles, rules, at boundaries.

🧠 Tip:

Kung gamer ka, isipin mo na ang SSP ay parang save file ng security state ng system mo.

Pag walang SSP = permadeath mode pag inatake ka. 💀

Pag may SSP = may respawn ka, may backup strat ka, at may cheat sheet ka para sa next game. 🎯

References:

NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal Information Systems

CIS Controls – Inventory and Control of Enterprise Assets

Mr GM
11 months ago -

Maintenance and Update Cycles "Para Laging Buhay ang Security Plan mo 🚀"

Sa mundo ng cybersecurity, walang forever… lalo na pagdating sa security plans. Kahit gaano ka-solid ang System Security Plan (SSP) mo today, bukas pwedeng outdated na ‘yan. Bakit? Kasi may bagong vulnerabilities, mas malupit na attack techniques, at nagbabagong business needs.
Kaya andito ang maintenance at update cycles—para siguradong updated at aligned pa rin ang security mo sa current threats at requirements.
Bakit Kailangan ng Maintenance?

Security is not “set and forget.” Kapag hindi minemaintain, posibleng mangyari:

Luma na controls na hindi na epektibo sa bagong cyber attacks.

Policy misalignment kapag may binago sa infra o process pero hindi na-update ang plan.

Compliance fails kapag expired na certifications o walang documentation sa mga changes.

Halimbawa: May hospital na gumawa ng security plan 2 years ago, pero wala silang protocol para sa telemedicine (na naging uso after pandemic). Resulta? Risk na ma-expose ang patient data.
Paano Gawin ang Solid Maintenance Cycle?

Ito ang mga dapat kasama:

Scheduled Reviews – May regular check-up (quarterly or yearly) kung match pa rin ang policies sa actual environment.

Patch Management – Siguraduhin na lahat ng hardware, software, at firmware ay updated.

Control Testing – Regular na vulnerability scan, penetration testing, at incident drills.

Documentation Updates – Lahat ng changes, dapat nasa SSP.

Training Refreshers – Turuan ulit ang staff para alam nila ang bagong threats at policies.

Real-World Example: Banking Industry

Sa isang bank na sumusunod sa PCI-DSS rules, usually ganito:

Monthly patching ng payment processing servers.

Review ng firewall rules tuwing may bagong branch.

Update ng encryption standards kapag obsolete na yung luma.

The Compliance Connection

Standards tulad ng ISO/IEC 27001 at NIST SP 800-53 ay mahigpit sa maintenance. Gusto nila may proof na active ang monitoring, updates, at adaptation sa threats.
Bottom Line

Security plan na walang maintenance? Parang superhero na walang training—magiging reactive imbes na proactive. Kaya maintenance and update cycles ang sikreto para laging handa laban sa cyber villains. 💪

Mr GM
11 months ago -

HIPAA-Compliant Encryption (Layer 7 – Application Layer) 🛡️

Sa ilalim ng Health Insurance Portability and Accountability Act (HIPAA), required ang mga healthcare orgs na i-secure ang electronic Protected Health Information (ePHI) — both habang naka-store at habang pinapadala sa network.
Sa Layer 7 ng OSI model (Application Layer), gumagana ang encryption sa mismong application level, para siguradong kahit ma-intercept ang data, hindi ito mababasa ng walang access o key.

Example in Practice:
Isang hospital may patient portal na naka-encrypt ng medical records gamit ang AES-256 bago ito ipadala via HTTPS. Kahit makuha ng attacker ang traffic, magiging scrambled lang ito at unreadable kung walang decryption key — pasok sa HIPAA compliance.

Bakit Importante:

Pinoprotektahan ang confidentiality ng patient records

Panalo sa compliance sa U.S. federal regulations

Iwas sa mabigat na penalties at data breach damages

Secure VLAN Segmentation (Layer 2/3 – Data Link & Network Layers) 🔒

Yung mga medical devices sa hospital network — tulad ng MRI machines, infusion pumps, at patient monitors — kadalasan kulang sa built-in security.
Dito pumapasok ang VLAN segmentation sa Layer 2 (Data Link) at Layer 3 (Network). Nilalagay sa hiwalay na virtual networks ang mga devices para mas ligtas.

Example in Practice:
Isang hospital may hiwalay na VLAN para sa:

Admin workstations

Patient Wi-Fi

Connected medical equipment

May firewall at Access Control Lists (ACLs) para siguruhin na yung medical devices ay pwedeng makipag-usap lang sa mga authorized systems. Resulta: mas maliit ang chance ng lateral movement ng attacker.

Bakit Importante:

Pigil sa pagkalat ng malware sa iba’t ibang network zones

Mas maliit ang attack surface ng critical devices

Pasok sa healthcare cybersecurity standards

Bringing It Together ⚡

Kapag pinagsama, Layer 7 encryption + Layer 2/3 VLAN segmentation = solid defense-in-depth strategy.

Encryption: pinoprotektahan mismo ang data

Segmentation: kontrolado kung sino lang makaka-access sa critical devices

Industry Example:
Sa isang malaking metro hospital, naka-encrypt ang patient health records sa application layer, habang naka-segment sa network ang admin systems, public Wi-Fi, at medical equipment. Kahit ma-compromise ang isang layer, may harang pa rin sa susunod na layer.

References:

U.S. Department of Health & Human Services – HIPAA Security Rule

National Institute of Standards and Technology (NIST) – SP 800-53 Security Controls

Center for Internet Security (CIS) – CIS Controls for Healthcare

Mr GM
11 months ago -

System Boundaries and Environment “Defining the Front Lines of Cybersecurity” 🛡️💻

Sa mundo ng cybersecurity, mahalaga hindi lang kung paano ka magpoprotekta, kundi ano ang pinoprotektahan mo.
Kaya sa kahit anong System Security Plan (SSP), isa sa pinakaunang—and pinaka-critical—na parte ay ang System Boundaries and Environment.

Dito mo ginagawa ang “mapa” ng digital territory mo — kung saan mo ililista at ipapakita lahat ng assets, connections, at interfaces na bumubuo sa system.
Kasi kung hindi malinaw ang boundaries, kahit gaano ka-advance ang security controls mo, may chance na may matatagong vulnerabilities na hindi mo napapansin.
Bakit Importante ang System Boundaries

Isipin mo yung system mo na parang kastilyo (castle 🏰).

Boundaries = walls, gates, at tulay na nagsasabi kung saan nagsisimula at natatapos ang teritoryo mo.

Sa cybersecurity, boundaries:

Clarify scope – malinaw kung ano ang sakop ng security controls.

Prevent scope creep – iwas na maprotektahan ang assets na hindi naman part ng system.

Support compliance – patunay sa regulators na kabisado mo ang perimeter at interconnections ng system mo.

Key Elements na Dapat I-define

1. Network Diagrams

Visual map kung paano magkakakonekta ang servers, clients, devices, at networks.

Isama ang IP ranges, VLAN segments, at firewalls.

2. System Components

Hardware: servers, routers, IoT devices.

Software: OS, databases, web apps.

3. External Connections

Partner systems, cloud services, third-party vendors.

Detalye ng encryption, authentication, at protocols.

4. Operational Environment

Physical location: data centers, remote offices.

Environmental factors: redundancy, backup power, disaster recovery.

Example gamit ang OSI Model

Halimbawa, nagdo-document ka ng boundaries para sa logistics company’s warehouse management system:

Layer 1 (Physical): Barcode scanners at RFID readers via Ethernet.

Layer 3 (Network): Private IP range para sa warehouse devices, hiwalay sa office network.

Layer 7 (Application): Cloud-based inventory app gamit ang HTTPS + TLS 1.3 encryption.

Sa SSP diagram, makikita lahat ito kasama ang gateways papunta sa cloud at connections sa partner carriers’ tracking APIs.
Industry Example: E-Commerce

Boundary: E-commerce platform, payment gateway, CRM system.
Components: Web servers, database clusters, load balancers, payment API.
External Connections: Payment card networks (PCI DSS compliance), shipping provider APIs.

Dahil malinaw ang mapa, mas madali mag-apply ng security controls tulad ng:

Encrypt data in transit

Restrict API access

Segment payment systems mula sa marketing databases

Best Practices sa Pag-define ng Boundaries

I-update diagrams tuwing may system changes.

Gumamit ng standard network symbols para malinaw.

Isama ang logical (software, IPs) at physical (hardware, locations) views.

Tukuyin ang trust zones – areas na may iba’t ibang security levels kahit nasa loob ng parehong boundary.

References:

NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal Information Systems

CIS Controls v8 – Inventory and Control of Enterprise Assets

Mr GM
11 months ago -

Mr GM
11 months ago -

Mr GM
11 months ago -

Mr GM
11 months ago -

Mr GM
11 months ago -

Mr GM
11 months ago -

Friends

No Friends

Photo Albums

No Albums