One of the gems to appear on the cybersecurity scene in recent years is the Cybersecurity and Infrastructure Security Agency, widely known by its acronym CISA.
CISA has helped keep cybersecurity in the forefront of the national discussion — exactly where it belongs. CISA’s Shields Up campaign is a prime example.
The campaign provides a centralized place for security news and critical alert updates and publishes the tactics put into use by advanced persistent threats, as well as general attack tools, techniques, and procedures.
Shield’s Up is CISA’s outreach detailing the essential cybersecurity hygiene that every enterprise should follow if they hope to avoid a data compromise or a breach. As security professionals are aware, identity and authentication are fundamental to success, as is vigorous vulnerability management.
Secure your credentials
What does that actually mean in practice? While the username and password credential has reigned since the earliest days of computing, that’s changing fast as most organizations move toward stronger forms of authentication, which also means adding an additional layer of authentication.
Methods specifically mentioned by CISA’s Shield’s Up initiative include a confirmation code sent via text or email, a code from an authentication app, or a biometric such as fingerprint, Face ID, or a FIDO key. FIDO stands for Fast Identity Online, a technical specification that details online user identity authentication for factors such as fingerprint biometrics and two-factor login.
It's important to focus on credentials because they are used in the vast majority of attacks, and it’s why so many phishing attacks start with the objective to steal log-in credentials. Thereafter, once an attacker gets into a system, whether an endpoint or virtualized workload, they are typically going to try to find a way to infiltrate other systems that are accessible from the system they initially breached. From there they will move laterally through an organization, often using stolen credentials and guessed passwords along the way.
While it’s important to protect all systems with strong passwords and multifactor authentication, it’s especially so with administrative accounts.
These accounts are used for access that is critical to the maintenance of an organization but also very powerful, with access to user settings, infrastructure settings and management functionality, and can even change security settings.
Once an attacker gets admin access, they can grant themselves powers to do almost anything they want on relative systems.
Remote systems are often softer targets and can be easily used to target an organization once compromised. It’s essential that they have strong authentication, and even close monitoring when possible.
Mind your vulnerabilities
Of course, it’s about more than just bolstering authentication. Consider CISA’s announcement earlier this year regarding how certain attack groups have exploited vulnerabilities within multifactor authentication protocols. Vulnerabilities must be managed to reduce risk across all devices, as attackers often exploit outdated systems and those with poor configurations. This includes all endpoints, virtual workloads, and mobile devices.
With the growth of hybrid cloud in conjunction with traditional on-premises systems and the growth of remote work, vulnerability management has grown complex over the years. Teams doing this work need to be able to scan on-premises systems, private clouds, and applications on public clouds. All of this complexity adds to an increased number of vulnerabilities that can’t be remediated swiftly.
This means vulnerabilities have to be identified and prioritized so that the riskiest are dealt with first.
For those who aren’t sure, there are a number of resources to look at:
- The CVE database, which catalogs publicly known vulnerabilities.
- The OWASP Top 10 web application security risks, which detail the most common vulnerabilities and how to mitigate them.
In April 2022, a joint advisory published by various government cybersecurity agencies, including CISA, detailed the top vulnerabilities that were exploited in 2021. You can find that advisory here.
When it comes to effective vulnerability management, CISA recommends enterprises regularly update software, operating systems, applications, and firmware on IT network assets in a timely manner.
“Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment,” the agency advised.
Effective vulnerability management programs help to add this type of context to scans and will advise on mitigations.
With literally thousands of vulnerabilities active in small- and mid-sized organizations at any time, and hundreds of thousands of vulnerabilities at larger organizations, such context is crucial so that the highest risks can be reduced first.
