Companies continuing to use software with identified vulnerabilities opens the door to a cyber incident on critical infrastructure.
“To be clear, there is no certainty there will be a cyber incident on critical infrastructure,” Neuberger said, but industry must take action to respond to possible threats. She added that the U.S. has improved its cyber defensive capabilities since President Biden took office, but said threats remain and specifically expressed concern that companies continue to use software with identified vulnerabilities.
March 28th the White House announced a new budget plan for the Cybersecurity and Infrastructure Security Agency to receive $2.5 billion, an increase of $486 million from fiscal 2021, under the White House budget request for the upcoming fiscal year. The plan will fund activities to support cyber EO mandates.
Cyberattacks are always a threat. But on March 21, 2022, the Deputy National Security Advisor for Cyber, Anne Neuberger, upped the ante. In response to intelligence that Russia is “exploring options” for launching cyber-attacks against US critical infrastructure, she warned, “Lock your digital doors, make it harder for actors, make them do more work.”
While she made it clear that there was no specific threat or certainty that an incident would happen, the fact that she made a public announcement is chilling. It means the White House is concerned. Perhaps not tomorrow, but eventually, something big will happen. Will you be prepared? Will you know what it looks like to be “prepared”?
Neuberger didn’t just issue a warning. She also issued recommendations from changing your passwords and multi-factor authentication to employee education and exercising your emergency plans. And she expressed specific concern about organizations that continue to use software with identified vulnerabilities. Add all this to the Cybersecurity Executive Order issued last May, and a roadmap of best practices comes into view.
Shifting strategically left
“Is Your Critical Software Hardened?” “The Biden administration has prioritized strengthening cybersecurity defenses to prepare our Nation for threats since day one. President Biden’s Executive Order Improving our Nation’s Cybersecurity is modernizing the Federal Government defenses and improving the security of widely-used technology.”
The Biden administration has focused on strengthening our nation’s cyber-defensive capabilities and issued a very detailed Executive Order in May 2021. One of the directives required all software the US government purchases to meet security standards in how it is built and deployed.
Part of the strategic shift in defense of Federal infrastructure takes a DevSecOps approach to development that builds security into products from the ground up—to “bake it in” instead of bolting it on after development. Using a strategic shift ensures better positioning of agencies to fend off sophisticated adversaries.
Develop software only on a highly secure system. Be sure it is accessible only to those working on a particular project as in an air-gapped environment. “Organizations “air-gap” their most sensitive applications and data and used initially as a strategy by governments but is now being utilized in the private sector. This development strategy makes it very difficult for an intruder to jump from system to system, compromise a product, or steal your intellectual property.
Take another look at your vulnerabilities.
Most software is built using many different components and libraries, which are open source. Make sure your developers know the origins of the components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it.
CISOs experience more demanding challenges today than ever. Modern automation tools can help you check for known and potential capabilities. They can automatically review code and find most coding errors before a malicious actor takes advantage of them.
Secure those endpoints.
System hardening mitigates risks from vulnerabilities by ensuring that organizations implement secure configurations. By using STIGs and CIS benchmarks, organizations can build more robust security. They act as a checklist to ensure hackers can’t get in using any known avenues. Automating these lower-level controls and documenting processes allows organizations a way to prevent threat actors from exploiting software and firmware vulnerabilities.
The same automation tools that ensure STIG/CIS compliance and a secure infrastructure configuration can also be used for continuous diagnostics and mitigation (CDM) to provide the secure baseline you create stays that way. Neubauer also recommended that you exercise your system and drill your emergency plans, so you are prepared to respond when the time comes.
Trust no one.
Implementing a Zero Trust strategy means shifting focus from various authentication and access controls to tailored controls around sensitive data stores, applications, systems, and networks. These controls leverage identities, commission/decommission users, and broker their access based on defined roles.
The baseline strategy is to make it much harder for users without permission to gain access to your systems in the first place. It also prevents mal actors from moving around within the systems if access is gained—they may be able to enter, but they won’t get far.
Answer the call to action.
Resilience implementation should be a shift left; a shift in culture through a process of continual improvement, automation and innovation. It should be based on short iterations with clear direction, addressing issues and building out capabilities in turn, with due consideration for threats as they arise. If Russia decides to attack, you can’t say you weren’t warned. The time to act is now. As Deputy Neuberger observes, “There are cyberattacks that occur every day. Every single day should be a call to action.” But now it is wise to reassess your risk.
Hardening your organization’s infrastructure and maintaining STIG compliance is good cyber hygiene, basic “blocking and tackling.” Automation liberates your Security Engineers and enables them to focus on higher-level cyber security project.
icing good cyber hygiene by taking a strategic approach to development, securing your endpoints, implementing Zero Trust, and scanning for system vulnerabilities will catapult you further down the road to thwarting hackers for good. And automation makes it all more practical. If you need help with your plan, we’re happy to oblige.
Time is of the essence!