At a glance.
- Russia hasn't cracked down on ransomware gangs.
- NSA, US Cyber Command, consider a surge against ransomware.
- The US Federal push toward zero trust.
- Considerations of supply chain security.
FBI says Russia hasn’t cracked down on ransomware gangs.
The Record reports FBI Deputy Director Abbate’s remarks that “there is no indication that the Russian Government has taken action to crack down on ransomware actors that are operating in the permissive environment that they’ve created” and “nothing’s changed” following the Putin-Biden summit. Washington’s requests for assistance against specific actors have gone unanswered. National Cyber Director Inglis similarly observed, “I think it’s too soon to say that we’re out of the woods.” The Record characterizes Abbate’s remarks as “the strongest yet by a senior administration official that the Kremlin is ignoring President Joe Biden’s [summit] request.”
A little bit of cyber saber-rattling, Fort Meade style.
That's what they mean by a "surge," Mr. Putin.
SecurityWeek recounts NSA Director and CyberCom Commander General Nakasone’s public comments that the Government is “surg[ing]” against cyber threats with “an intense focus” on intelligence, info-sharing, and the imposition of costs like naming and shaming and revealing TTPs. Nakasone also stressed the Government’s new assessment of ransomware as a threat to national security rather than just criminal mischief.
Achieving zero trust in US Federal agencies.
Federal News Network reviews the challenges to enacting zero trust architectures across Federal Civilian Agencies. Funding remains a concern, and largely contingent on Congressional decisions. Agencies had the opportunity to increase their budget requests in response to Holiday Bear and the Administrative changeover, and indeed their 2022 cybersecurity requests represented a fourteen percent increase over the previous year. Agency leadership is another potential obstacle, with the usual barriers to understanding between IT and non-IT personnel. IT staff can help by emphasizing the connection between zero trust and departmental missions.
While the Office of Management and Budget’s (OMB’s) zero trust memo moves events in the right direction, onlookers have some suggestions for improvement. OMB could pay more attention to enforcement, the development, security, and operations (DevSecOps) process, custom interfaces, network segmentation, token-based authentication, privileged agent use, and eliminating role-based access controls, for example.
“Funding, constant and consistent oversight and long-term accountability are what will make agencies change,” Federal News Network concludes.
We heard from Jason Soroko, CTO, PKI, at Sectigo, who offered some extensive thoughts about the challenges and opportunities the push toward zero trust involves:
“It is encouraging to see the U.S. government’s vision for a federal zero trust architecture emphasizing strong identity policies, encryption, and automation. These are defining principles in today’s digital-first world that government agencies, as well as enterprises worldwide, can greatly benefit from. The traditional pre-pandemic approaches to digital security have been shown to be less effective, and the White House’s latest plans around zero trust reinforce the importance of securing identities and the heightened need for cybersecurity in general.
"The first pillar and required action of the new directive is centered on identity-based security, which is essential for today’s modern enterprises. Zero trust is a set of principles rather than a single technology and ensures proper identity authentication – trust is never implicit and is continually monitored. It centers around privilege, which is assigned to people or devices that have verifiable identities. The demand for this approach worldwide is being driven most recently by the digital transformation and remote work trends. These changes created significant cybersecurity challenges and the need to properly authenticate every device, user, and entity accessing an organization’s network.
"Specifically, the security architecture suggests innovative PKI (public key infrastructure) solutions which are at the heart of zero trust and identity. PKI plays a critical role by consolidating and automating the deployment, discovery, management, and renewal of digital certificates for every device, user, and application across an organization. While PKI is not the only identity solution for multi-factor authentication, it is a mature and strong technology that has innovated to handle the scale necessary for a proliferation of digital identities and the move towards more secure authentication for all nodes on your network.
"Among the new requirements is establishing a single sign-on service for agency employees integrated into everyday platforms being used. This is in line with baseline security requirements for enterprises that have been enforcing company-wide identity. This approach will likely take advantage of single sign-on identity-based technologies such as SAML/OpenID Connect.
"The directive also lists the use of phishing resistant multi-factor authentication for agency staff and public users of online government services. While it is not prescriptive in the types of authentications to be used, personal identity verification (PIV) is specified, which is a U.S. government standard and based on PKI certificates. For the general public using online government services, other credential form factors will need to be utilized, and this will come from a wider range of multi factor authentication (MFA) technologies.
"The other four pillars of the plan also represent important changes being made to the way cybersecurity is addressed.
- "Devices: The government is emphasizing the fundamentals, which is taking inventory of devices. Provisioning devices with strong identities enables security in the form of strong authentication and encryption of data from those devices in transit and at rest.
"Networks: The US Government will be using standards that have been adopted in the past, but it is important to note the importance of email encryption for all enterprises and the usage of S/MIME standards.
"Applications: The framework is calling for multi-factor authentication to be integrated at the application layer rather than via the network using a general network authentication such as VPN. This makes PKI certificates an ideal solution because they are ideally suited to single sign-on to multiple applications and can span both cloud and on-premises served applications.
"Data: Data logging and monitoring are important. But data in the modern digital enterprise crosses hostile network boundaries and needs to be protected. Encryption of data in transit and at rest, which requires digital identities, most commonly in the form of PKI certificates, is crucial.”
Supply chain security, "consequences" for getting it wrong, and bills of materials.
A survey by Venafi concludes that executives think there are problems with the software supply chain, that vendors need to devote more effort to securing it (and providing assurances that it is secure), and that penalties should attach failures in this regard. It's a private sector survey, but the challenges of securing supply chains are a public policy issue as well.
Demi Ben-Ari, Co-Founder and CTO at Panorays, wrote to set these concerns in the context of both the recent US Executive Order on cybersecurity and the current state of supply chain security:
“It’s not surprising that a new Venafi report essentially concludes that organizations wish to improve software supply chain security, but have no real consensus about how this can be accomplished. This is precisely why President Biden’s recent Cybersecurity Executive Order called for baseline software security standards, because those standards hadn't yet been defined. The reality is that software supply chain security is still very much uncharted territory, and we still have to figure out how best to address it.
"In the meantime, however, one of the best steps that organizations can take is to look for degrading security posture of third-party software providers over time, which can be a tell-tale clue that something is amiss. It’s also important to map vendors, identify important assets and reduce third- and fourth-party security risk, which can help organizations respond and recover from a third-party breach. This can be accomplished by automating, accelerating and scaling customers’ third-party security evaluation and management process”.
To our follow-up question about the challenges specific to effective use of bills of materials, Ben-Ari wrote:
"With software and hardware bills of materials, it’s important to assess risk. This means that it’s necessary to automatically discover the fourth parties that are producing the materials and make sure that they have undergone external security assessments and internal process reviews. This process is necessary regardless of whether those suppliers are local or spread across the world. In addition, with software components, it's necessary to check for vulnerabilities and misconfigurations."