At a glance.
- CISA, NSA, and the FBI warn of Russian cyber operations.
- ICT SCRM Task Force announces new members and strategies for 2022.
- Prospective FISMA updates.
- World Economic Forum’s Global Risks Report 2022.
US cybersecurity alert focuses on Russian-backed cyberoperations.
A joint Cybersecurity Advisory issued by the US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) urges organizations to protect themselves from Russian state-sponsored cyberoperations.
The advisory details commonly observed TTPs (tactics, techniques, and procedures), methods of detection, incident response recommendations, and mitigation strategies intended to bolster the cybersecurity community’s ability to reduce risk. “CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting.” Mitigation strategies include minimizing coverage gaps, educating employees and cyberincident response and creating structured resilience and continuity of operations plans, and strengthening identity and access management.
Tim Erlin, VP of Strategy at Tripwire, notes that the Alert contains important, actionable information:
“It’s important to remind ourselves that critical infrastructure is more than just a phrase. It describes a vast cross-section of infrastructure on which our nation relies. Critical infrastructure really is critical.
"This alert not only contains information about the threat, but real, actionable information that organizations can use to defend themselves. The use of the MITRE ATT&CK framework to identify the malicious activity, and to map to valid mitigation actions is highly valuable.
"This alert is focused on a specific set of threats and actions to identify and respond to those threats. Organizations should also review their preventive controls against the tools and techniques described in this alert. Identifying the attack in progress is important, but preventing the attack from being successful at all is better.”
Erich Kron, security awareness advocate at KnowBe4, observes that attacks against infrastructure aren't new, but that international crises make them more likely:
“Targeting critical infrastructure is nothing new, however, the increased attacks are certainly something to be concerned with, especially given the tensions between the U.S. and Russia over the Ukraine border crisis. Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords or using easily guessed passwords.
"To strengthen organizations against these attacks, it is critical that they have a comprehensive security awareness program in place to help users spot and report suspected phishing attacks and to educate them on good password hygiene. In addition, technical controls such as multi-factor authentication and monitoring against potential brute force attacks can play a critical role in avoiding the initial network intrusion.”
ICT SCRM Task Force announces new members and strategies for 2022.
The US Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force had its first meeting of 2022, setting out plans for the new year and announcing new membership. CISA explains that the public-private collaboration is devoted to mitigate the risks faced by ICT supply chains, and by adding the Small Business Administration, National Association of State Procurement Officials, and the National Association of State Chief Information Officers to its ranks, the task force hopes to find methods for improving the resilience of ICT supply chains. Task force Co-Chair and CISA Assistant Director Bob Kolasky explained, “Given the risks facing the Nation’s supply chains, particularly around hardware and software, the work of the Task Force remains essential. One of our goals this year is to expand the utility of the work of the Task Force to a broader audience.”
FISMA updates focus on outcomes.
US lawmakers gathered for a hearing yesterday with former cybersecurity officials to discuss improvements to the Federal Information Security Management Act (FISMA), a set of cybersecurity requirements for federal civilian agencies. Congress contends that the law, last modified in 2014, needs to be updated to concentrate less on compliance and more on outcomes, Bank Info Security reports. Representative Carolyn B. Maloney, chair of the House Committee on Oversight and Reform, and Representative James Comer have drafted a companion bill called the FISMA Modernization Act of 2022. Maloney said that the existing law is "simply not enough to protect us in its current form. Threats have transformed dramatically since FISMA was updated in 2014, and in ways that were unimaginable since the law was first written 20 years ago."
The bill seeks to clarify federal cybersecurity roles by assigning policy development and oversight to the Office of Management and Budget (OMB) and operational coordination to CISA, and making overall strategy the responsibility of the National Cyber Director. OMB's federal CISO would become deputy national cyber director with budgetary review authority. The bill also pushes for a risk-based cybersecurity posture incorporating, among other things, Zero Trust principles, endpoint detection and response, cloud migration, and automation. Other changes include modernizing agency reporting requirements, an expansion of information sharing to maintain IT asset inventories and software bills of materials, and requiring CISA to remove any barriers to shared services and technical assistance. One of the industry experts at the hearing, Venable’s senior director of cybersecurity services and the former federal CISO Grant Schneider stated, "FISMA must evolve just as the threats and the nature of our IT environments continue to evolve."
World Economic Forum’s Global Risks Report 2022.
International lobbying organization World Economic Forum has released this year’s Global Risks Report, which conveys the results of their annual Global Risks Perception Survey (GRPS), chapter three is devoted to “Digital Dependencies and Cyber Vulnerabilities.” As the report explains, “Technological risks—such as ‘digital inequality’ and ‘cybersecurity failure’—are other critical short- and medium-term threats to the world according to GRPS respondents, but these fall back in the rankings towards the long term and none appear among the most potentially severe, signalling a possible blind spot in risk perceptions.” The report explains that COVID-19 has only accelerated the rapid digitization of world industries, while cyberthreats have begun outpacing society’s ability to respond. The report cites a 435% increase in ransomware attacks in 2020, with 95% of cybersecurity issues attributed to human error, and predicts digital commerce to increase in value by $800 billion by 2024. The chapter concludes, “At the organizational level, upskilling leaders on cybersecurity issues and elevating emerging cyber risks to board-level conversations will strengthen cyber-resilience.” The writers also highlight the need for a deepening of digital trust: “Unless we act to improve digital trust with intentional and persistent trust-building initiatives, the digital world will continue to drift towards fragmentation and the promise of one of the most dynamic eras of human progress may be lost.”