In a CISA Insights bulletin the Cybersecurity & Infrastructure Security Agency (CISA) warns that every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.
The warning specifically reminds readers of the recent developments in the Ukraine where public and private entities have suffered a series of malicious cyber incidents. Especially highlighting the use of destructive malware against critical infrastructure and the potential damage it can do. The website defacements and data-wiping malware attacks in the Ukraine were originally thought to be different attacks, until it became clear that victims were hit by both, leading authorities to believe the attacks were coordinated.
CISA says it wants to ensure that senior leaders at every organization in the United States, regardless of sector or size, are aware of critical cyber-risks, and take urgent steps to reduce the likelihood and impact of a potentially damaging compromise.
In the document, CISA provides guidelines to make near-term progress toward improving cybersecurity and resilience.
Reducing the chance of an intrusion
To reduce the chance of an unwanted cyber-intrusion, CISA recommends that orgaizations:
- Ensure that all remote, privileged or administrative access requires multi-factor authentication (MFA).
- Update their software, prioritizing updates that address vulnerabilities identified by CISA.
- Disable all ports and protocols that are not essential for business purposes.
- Review and implement strong controls for Cloud services, as outlined in CISA's guidance.
- Sign up for CISA's free cyber hygiene services, including vulnerability scanning.
For those unfamiliar with the CISA list of known, actively exploited vulnerabilities, this is tied to Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency’s behalf.
One of the most welcomed of the required actions set forth in the directive is that CISA will keep a catalog of vulnerabilities alongside timeframes in which they must be remediated. According to the plan, this catalog will list only the most important vulnerabilities that have proven to pose the biggest risks.
Although CISA can only require action from federal agencies, it's clearly hoped that organizations outside its perview will see the benefit of using the catalog in the same way.
It is interesting to note that the latest list of vulnerabilities includes ProxyToken. ProxyToken is a vulnerability that was fixed in June of last year. It allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users. For example, an attacker could use the vulnerability to forward your mail to their account, and read all of your email. All that organizations need to do to protect themselves from it is patch.
Detecting potential intrusions
The bulletin also offers some simple guidance on how to detect and deal with a potential intrusion:
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior, and that they have the logging they need.
- Confirm that your network is protected by anti-malware software, and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
This last point was likely added to the list since there are indications that the attacks in the Ukraine were, at least partly, the result of supply-chain attacks. The Ukraine Cyber Police are investigating the use of Log4j vulnerabilities and stolen credentials as other means of access to the networks and servers.
If an intrusion is detected, CISA recommends that organizations should create a crisis team that already knows how it will respond. The team should have conducted tabletop exercises so that everyone understands their roles if an incident occurs.
Backups can be an important backstop during a cyber-incident such as a ransomware attack, and the bulletin reminds organizations that taking backups isn't enough—they need to test their backup procedures too, so they know they can actually restore their critical data if they need to. Backups should, of course, be isolated and out of the reach of potential attackers.
The Malwarebytes Lock and Code podcast has a wealth of information for people looking to dig deeper into the topics raised by the CISA bulletin. The most recent episode, embedded below, examines why arguably the most important security practice of all—patching—is so hard for organizations.
Previous episodes have included deep dives into why we fail at getting the cybersecurity basics right, why getting backups right is difficult, and what it's like to be at the centre of a ransomware attack—from a sysadmin who has been there.
Stay safe, everyone!