In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors.”

While the law itself is on the books, the reporting requirements for covered entities won’t come into force until CISA completes its rulemaking process. As part of this process, the agency has released a 447-page Notice of Proposed Rulemaking (NPRM), which was opened for feedback on April 4, 2024. As of July 3, 2024, the feedback period has closed — here’s a look at what industry groups and organizations have been saying about the proposed rule, its impact and where it may come up short.

Healthcare: Concerns coalesce over duplicate requirements

Healthcare organizations are raising red flags over what they consider to be duplicate reporting requirements. Both the American Hospital Association (AHA) and the Medical Group Management Association (MGMA) are concerned that new rules under CIRCIA are effectively redundant versions of those outlined by HIPAA.

The AHA and MGMA make the argument that since healthcare agencies are already responsible for reporting breaches under the HIPAA Breach Notification Rule, similar requirements under CIRCIA will add more work with no benefit. They are especially concerned about potential penalties under the rule, which could see unreported incidents sent to the Attorney General and lead to civil actions or contempt of court charges.

According to a letter from the AHA to CISA Director Jen Easterly, “The AHA acknowledges that the spread and impact of cyber crime require the federal government to take strong actions to protect American citizens, punishing victims is counterintuitive and counterproductive.”

From the perspectives of both the AHA and MGMA, CIRCIA, in its current form, makes it more difficult for healthcare organizations to effectively respond when incidents occur. Instead of protecting patients and dealing with immediate impacts, businesses would instead have to focus on meeting multiple reporting requirements.

Critical infrastructure: Issues emerge around scope and time

Critical infrastructure agencies are also voicing their concerns about the proposed rule. According to Cybersecurity Dive, they’re worried about the time window for reporting requirements and the scope of incidents covered by CIRCIA.

Under the proposed rule, covered entities would have 72 hours to disclose a breach and just 24 hours to report any ransomware payments. Given the potential impact of infrastructure disruptions such as energy grid attacks or water treatment plant compromises, industry advocates worry that such tight reporting timelines could frustrate efforts to remediate issues and get services back up and running.

As a result, groups such as TechNet and the American Gas Association (AGA) are urging CISA to limit the scope of initial reporting requirements to only the most critical sectors of critical infrastructure providers. TechNet specifically argues that while critical functions are an integral part of infrastructure operations, not all parts of the organization are responsible for these functions. By limiting the definition of “critical,” they argue that teams will be better able to respond.

From suggestion to action

With the feedback period now closed, CISA will review industry comments and make adjustments to the NPRM they deem necessary. While there’s no word on when the final rule will be released, it probably won’t happen before 2025.

For critical infrastructure organizations, the result is a waiting game. CISA hasn’t offered any comments on the feedback or the likelihood of any proposed changes. Ideally, the final rule meets somewhere in the middle, with reporting timelines that are shorter than providers prefer but long enough that they can effectively identify incident causes and remediate key risks.

The post CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM appeared first on Security Intelligence.

In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.

The CIRCIA incident reports are meant to enable CISA to:

• Rapidly deploy resources and render assistance to victims suffering attacks
• Analyze incoming reporting across sectors to spot trends
• Quickly share information with network defenders to warn other potential victims

As they say, the devil is in the details. In early April, the 447-page Notice of Proposed Rulemaking (NPRM) was published by CISA in response to its responsibilities mandated by CIRCIA. The document is now open for public feedback through the Federal Register.

Considering CIRCIA and its newly published NPRM, what might incident reporting for ransomware attacks look like in the future? Let’s find out.

How does CISA define ransomware?

As per CISA, “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”

Ransomware groups often target and threaten to sell or leak stolen data or authentication information if the ransom is not paid. Ransomware attacks have become increasingly prevalent among state, local, tribal and territorial (SLTT) government entities and critical infrastructure organizations.

How might incident reporting for ransomware differ from other attacks?

CISA’s NPRM proposes four types of impacts that would result in an incident being classified as a substantial cyber incident and, therefore, reportable. The four types of impact include:

• Impact 1: Substantial Loss of Confidentiality, Integrity, or Availability
• Impact 2: Serious Impact on Safety and Resiliency of Operational Systems and Processes
• Impact 3: Disruption of Ability to Engage in Business or Industrial Operations
• Impact 4: Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a CSP, Managed Service Provider or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise

CISA is further proposing that substantial cyber incidents include any incident regardless of cause — whether or not ransomware is involved. These could be a compromise of a cloud service provider, managed service provider or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.

CIRCIA requires covered entities to report to CISA any covered cyber incidents within 72 hours after the entity reasonably believes that the covered cyber incident has occurred.

Meanwhile, ransom payments made in response to a ransomware attack must be reported within 24 hours after the ransom payment has been made. Clearly, CIRCIA places ransomware as a reporting priority.

What are the steps to follow for ransomware reporting?

As far as ransomware reporting is concerned, CISA’s NPRM outlines four steps:

1. A covered entity that experiences a covered cyber incident must report that incident to CISA.
2. A covered entity that makes a ransom payment as the result of a ransomware attack must report that payment to CISA.
3. Until a covered entity notifies CISA that the covered cyber incident in question has concluded and been fully mitigated and resolved, a covered entity must submit an update or supplement to a previously submitted report on a covered cyber incident if substantial new or different information becomes available.
4. A covered entity must submit an update or supplement to a previously submitted report on a covered cyber incident if the covered entity makes a ransom payment after submitting a Covered Cyber Incident Report.

CISA also explains that time doesn’t exclude reporting. For example, let’s say your company discovers that it experienced a cyber incident two years ago, and the incident is ongoing. You would still be required to submit a Covered Cyber Incident Report under the proposed rule because the incident has not concluded and has not been fully mitigated and resolved.

What exceptions exist when reporting a cyber incident to CISA?

As per CISA, reportable incidents exclude “any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system.”

What exactly are “good faith” scenarios? It could be a third-party service provider acting within the parameters of a contract that unintentionally misconfigured a company’s devices, leading to a service outage. Another example would be a properly authorized penetration test that inadvertently results in a cyber incident with actual impacts.

Other good faith exclusions could be incidents related to security research testing. Researchers may have been authorized to attempt to compromise systems, such as in accordance with a vulnerability disclosure policy or bug bounty programs. That being said, CISA anticipates that these exemptions would rarely occur. Good faith security research generally stops at the point where the vulnerability can be demonstrated and should not typically result in an actual impactful incident.

Intentional shutdown not exempt if ransomware involved

In some cases, a covered entity, in response to genuine ransomware or other malicious incident, might decide to take action against itself, resulting in reportable level impacts, such as shutting down systems or operations. For example, a Ransomware-as-a-Service attack victim might do this to prevent a wider impact due to a cyberattack. This scenario is still considered to be a reportable substantial cyber incident.

In such a case, the incident itself was not perpetrated in good faith, and the threshold level impacts would not have occurred if there had been no attack. Therefore, CISA would not consider the covered entity’s actions to meet the “good faith” exception. Clearly, the covered entity intentionally triggered an impactful event (e.g., taking systems offline) in an attempt to minimize the potential damage of a cyber incident. However, this kind of activity would not be exempt from reporting requirements.

Ongoing conversation

The discussion about ransomware reporting requirements is ongoing. And when even entities with robust cyber resilience are at risk, the final conclusions of CIRCIA will be on everyone’s radar.

The post Important details about CIRCIA ransomware reporting appeared first on Security Intelligence.

The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.

NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards and create a new model that reflects evolving security challenges.

While the core of the CSF remains the same, there are several notable additions to the new version. Here’s what enterprises need to know about the new framework, how it impacts operations and how IT teams can effectively apply CSF version 2.0 to daily operations.

New in NIST 2.0: The Govern function

First is the introduction of the “Govern” function, which underpins all five functions of the original NIST framework: Identify, Protect, Detect, Respond and Recover. As noted by the original CSF 1.0 documentation, “these functions are not intended to form a serial path or lead to a static desired end state. Rather, the functions can be performed concurrently and continuously to form an operational culture that addresses the dynamic security risk.”

As a result, the functions are often depicted as a five-part circle that surrounds the center CST framework. Each function leads into the next, and no function is independent of another.

NIST CSF 2.0 keeps these functions but adds Govern as a complete inner ring located under the five outer functions. Govern focuses on ensuring that the other functions align with business needs, are regularly measured by operations teams and are managed by security executives.

In other words, Govern looks to bring leadership into the security conversation. While this is already happening in most businesses, CSF 2.0 makes it a priority.

Expanded best practices

The first two CSF versions prioritized critical infrastructure. While other industries and agencies adopted the framework, it was primarily designed to reduce the impact of cybersecurity incidents in the critical infrastructure sector.

However, the broad adoption of the framework made it clear that practices and processes applied to public and private organizations across all sectors and industries. As a result, NIST CSF 2.0 offers expanded best practices broadly applicable to businesses of any size and type.

For example, the new CSF recommends that all businesses create Organizational Profiles that describe current and target cybersecurity postures. This allows companies to both set goals and define the practice necessary to meet these goals. The new framework also highlights the role of Community Profiles. These profiles are created to address the shared cybersecurity interests and goals of multiple organizations that occupy the same sector or subsector, use similar technologies or experience similar threat types.

Making the most of new NIST guidelines

With its focus on enhanced governance and expanded best practices, the new NIST CSF can help enterprises enhance security and reduce risk. To effectively implement this framework, organizations benefit from a four-pronged approach.

1. Use available recommendations and resources

The expanded scope and scale of CSF 2.0 can make it difficult for businesses of any size to effectively implement new recommendations. For smaller companies, limited IT support may impact the development of new practices, while larger organizations may struggle with the complexity of their IT environments.

To help streamline the process, businesses should make best use of available resources, such as:

• The CSF 2.0 Quick-Start Guide for Creating Organizational Profiles
• The CSF 2.0 Searchable Reference Tool
• The NIST Informative Reference Catalog
• CSF 2.0 implementation examples

2. Get leaders in the loop

Next on the list is getting leaders in the loop. While CSF 2.0 was designed with governance and oversight in mind, many non-technical C-suite executives may have limited knowledge of the framework and its impact. As a result, it’s a good idea for IT leaders — such as CTOs, CIOs and CISOs — and their teams to sit down with board members and discuss the impact of CSF 2.0. This is also an opportunity to ensure business goals and security strategies are aligned.

In addition, these meetings provide an opportunity to define key security metrics, determine how they will be collected and create a detailed schedule for collection, reporting and action. By making leaders part of the conversation from the beginning of CSF implementation, companies set the stage for sustained visibility.

3. Evaluate external partnerships

As part of the new Govern function, CSF 2.0 includes new subsections on vendor and supplier management. For example, GV.SC-04 focuses on knowing and prioritizing suppliers by their criticality to operations, while GV.SC-06 speaks to the planning and due diligence required before entering third-party relationships. Finally, subsection GV.SC-10 can help companies plan for the termination of a supplier or partner relationship.

Given the increasing risk and impact of third-party compromise, these evaluations are critical. If suppliers or vendors with access to critical company data are compromised due to poor cybersecurity practices, organizations are at risk, regardless of their own CSF 2.0 compliance.

4. Deploy management and monitoring tools

To support all five existing functions and provide the data needed to inform new governance efforts companies need management and monitoring tools capable of detecting potential threats, tracking indicators of compromise (IOC) and taking action to reduce total risk.

For example, threat intelligence tools can help organizations pinpoint common attack patterns and targets, in turn giving teams the data they need to create and deploy effective countermeasures. This data also helps tie security spending to measurable business outcomes.

From best practice to common practice

While CSF 2.0 is the newest version of NIST’s cybersecurity framework, it’s not the last. As noted by NIST, the framework is designed as a living document that evolves to meet emerging cybersecurity needs and help companies navigate changing threat environments.

In practice, this means making the move from best practices to common practices. For example, where versions 1.0 and 1.1 provided best practices for critical infrastructure, version 2.0 includes them as common practices for all organizations while defining a new best practice: governance. Over time, this practice will become commonplace, setting the stage for further developments that help organizations enhance threat discovery, improve incident response and reduce total risk.

The post Unpacking the NIST cybersecurity framework 2.0 appeared first on Security Intelligence.

The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.

In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.

Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for the owners and operators of national security systems.

Navigating new standards: NIST and CISA’s contributions

Since 2021, the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) have been pivotal in shaping SBOM standards. Their guidelines aim to offer companies and operators a complete picture of software components, including open-source software.

An SBOM should provide transparency into the ingredients of software, including:

• Open-source libraries and dependencies
• Commercial/proprietary libraries and modules
• Services and tools
• Versions of libraries and components
• Relationships between components
• Licensing information.

It’s important to collect and share this information in a clear format. There are three commonly-used standards for SBOMs:

• Software Package Data Exchange (SPDX®): An open-source, machine-readable format developed by the Linux Foundation. SPDX is a flexible option with the size and capacity to be an all-inclusive format.
• CycloneDX (CDX): An open-source, machine-readable format from the OWASP community. CDX is a more agile, user-friendly option than SPDX.
• Software Identification (SWID): An ISO/IEC industry standard that many commercial software publishers use. This is, by far, the easiest standard to use — but its capabilities are limited to simple inventory and cataloging.

This standardization makes it easier for operators to understand and manage the security risks related to the software. Unfortunately, operators managing intricate tech stacks and cybersecurity systems often need to use more than one standard, which poses additional challenges.

What are the problems with SBOMs?

SBOMs offer information about code provenance and help software engineering teams detect malicious attacks in their early stages — often during development and deployment. However, getting in line with the U.S. government’s regulations around SBOMs is not straightforward.

Here are some concerns:

• Complex requirements: An app may comprise files, functions or code from separate third-party sources. Without proper documentation during development, creating an accurate SBOM that includes all components is challenging.
• Lack of data: SBOMs explain the ingredients in software but share nothing about the quality of those components, the contributors or the processes around quality control.
• Time investment: Companies must dedicate a lot of time to properly research and document SBOMs. Also, SBOMs are not static documents, so a new SBOM will be needed with every release or update — making this an ongoing draw on company resources.
• Budget: With more time spent on SBOMs, compliance costs will impact the company’s payroll. Also, there’s a chance that SBOM focus can distract software developers from focusing on more serious security risks.
• Intellectual property concerns: Sharing detailed software components can feel like giving away trade secrets. It’s a tightrope walk between optimal security and competitive positioning.

An imperfect step in the right direction

With the NSA’s latest updates for SBOM management, we can expect SBOMs to become a key aspect of securing and managing software supply chains in 2024. companies can use them to offer software developers and customers transparency about the software they use.

But it’s important to remember that SBOMs are not a magic bullet against cyberattacks on supply chains. Challenges in cost and compliance remain a concern, especially for smaller organizations.

Operators in national security and enterprises must adapt to the changes and collaborate with software developers to give companies the best chance of protecting their supply chains and assets.

Ready to take action? Learn how to secure your supply chain through cyber risk management.

The post Updated SBOM guidance: A new era for software transparency? appeared first on Security Intelligence.

As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.

These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.

New White House cybersecurity strategy

The White House’s National Cybersecurity Strategy represents a decisive shift in the U.S. approach to cybersecurity. This 35-page document details the government’s plan to strengthen cyber defenses, focusing on reducing the burden on end-users, small businesses and local governments. The strategy proposes shifting software security liability to larger corporations, a move that has sparked discussions in the cybersecurity community. Finally, it prioritizes protecting critical infrastructure, like public water systems, from cyberattacks while preparing for emerging threats from quantum computing and AI.

NIST evolved for risk management

The NIST Cybersecurity Framework 2.0 (CSF) is evolving to meet the challenges of modern risk management, aligning with the Biden Administration’s National Cybersecurity Strategy. This update emphasizes improved risk management strategies, which are crucial in today’s cybersecurity landscape. The framework introduces a new ‘govern’ function, focusing on policies, procedures and team roles in cybersecurity risk management. It also expands guidelines on supply chain security, reflecting broader government initiatives. The CSF 2.0 continues to grow, addressing emerging threats like generative AI while striving for a cohesive U.S. cybersecurity approach across government and private sectors.

NSA’s best practices for home networks

The hybrid workplace is here to stay, and since home networks are central to our personal and professional lives, their security is paramount. The National Security Agency (NSA) emphasizes this shift in their latest best practices for securing home networks, highlighting the risks posed by cyber criminals. Bad actors often target home networks as gateways to larger corporate systems, especially through remote workers. The NSA’s guidelines focus on two key areas: technical upgrades to network hardware and software and behavioral changes to enhance online safety. By following the guidelines, individuals can mount a defense against breaches, keeping their personal data and professional integrity intact.

White House continues cybersecurity push

The Biden Administration’s National Cybersecurity Strategy Implementation Plan (NCSIP) marks a significant advancement in the United States’ approach to cybersecurity. Managed by the White House’s Office of the National Cyber Director, the plan has been well-received by cybersecurity experts for its clarity and actionable goals. It outlines over 65 federal initiatives to enhance cybersecurity, assigning specific tasks and deadlines to 18 federal agencies. The NCSIP is structured around five core pillars: defending critical infrastructure, disrupting threat actors, shaping market forces for security and resilience, investing in a resilient future and forging international partnerships. The comprehensive plan represents a groundbreaking shift in the U.S. government’s allocation of roles, responsibilities and resources in cyber, emphasizing long-term investments in cybersecurity and a coordinated effort across federal agencies.

The White House on managing AI

President Biden’s executive order on Artificial Intelligence (AI), issued on October 30, 2023, takes a significant step in the regulation and advancement of AI technology. The order aims to protect the American public from any negative side effects of AI’s rapid and expansive development. It outlines ambitious goals, including setting new AI safety and security standards, protecting privacy, advancing equity and civil rights and promoting innovation and competition. The order has also sparked debate over its sufficiency and potential impact on America’s AI leadership. While it emphasizes labeling AI-generated content, supporting the American workforce and promoting innovation, critics argue it lacks enforceable mandates and detailed implementation strategies. Ultimately, the executive order is seen as an initial step in a longer journey.

The post Roundup: Federal action that shaped cybersecurity in 2023 appeared first on Security Intelligence.

One thing that came out of the pandemic years was a stronger push toward an organization-wide digital transformation. Working remotely forced companies to integrate digital technologies, ranging from cloud computing services to AI/ML, across business operations to allow workers to keep up high production and efficiency standards.

Now that businesses and consumers have adjusted to the new normal of digital transformation, it is time to develop a security transformation strategy.

Coping with the speed of change

A constantly evolving tech environment means that security needs and systems are constantly shifting. For an easy example, just look at how quickly cybersecurity must change to adapt to generative AI. In less than a year, organizations and cybersecurity analysts are searching for ways to use generative AI to improve cyber defenses, while threat actors have already discovered ways to launch more sophisticated and harder-to-detect attacks (not to mention targeting the AI tool itself).

Like any transformation, the problem is knowing where to start and what needs to be updated. Luckily, the security transformation has blueprints to follow, starting with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). From there, organizations can use reference points such as recent White House Executive Orders around cybersecurity readiness and state, federal, industry and international data privacy compliance regulations. Cybersecurity insurance requirements provide more useful guidelines.

And like the digital transformation, the security transformation will evolve to fit your organization’s needs. There may be some push to move quickly — you want protections or policies in place for a ransomware attack sooner rather than later, for instance. However, it is better to be methodical to ensure that you are building the right security program for your needs.

The NIST CSF update offers an example for your transformation

The original NIST CSF was released in 2014 and was designed to improve security around critical infrastructure. It was developed from an Executive Order released by the Obama White House in 2013 to provide “a consensus description of what’s needed for a comprehensive cybersecurity program,” according to then-Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher.

However, ten months is a long time in our digital society, let alone ten years. When NIST CSF 1.0 was introduced, it was revolutionary for its era. It also came before cloud computing was part of every business environment, before ransomware was shutting down hospitals and casinos and before APIs became a major attack vector. In fact, smartphones were still in their early years, and BYOD was a fairly new term.

“NIST is updating the Framework to account for the changes in the cybersecurity landscape, including changes in threats, technologies and standards,” Cherilyn Pascoe, lead developer of the framework, told Cybersecurity Dive.

New guidelines bring NIST into the future

CSF 2.0 is a methodical update. In February 2022, NIST put out a request for information, asking for guidance from tech and cybersecurity companies on how to best update CSF, as well as address the growing threat around supply chain risks. NIST then opened up the framework for public comments before the final version of CSF 2.0 goes live.

Despite being designed for those industries that make up the critical infrastructure, such as utilities, gas and oil, CSF 1.0 was used as a guide across industries trying to figure out how to best introduce cybersecurity into their organizations. CSF 2.0 builds on what worked in the original while adding “an expanded scope, the addition of a sixth function, Govern and improved and expanded guidance on implementing the CSF — especially for creating profiles.”

NIST recognized that while CSF 1.0 added value, it was no longer meeting the cybersecurity challenges industries face today. NIST is following a similar framework path to address the security concerns around AI. A White House Executive Order expounds on the value of a zero trust model, and the Department of Defense introduced the Cybersecurity Maturity Model Certification in 2020 to ensure that defense contractors were meeting cybersecurity standards, but the CMMC framework continues to evolve and change.

Why your organization needs a methodical security transformation

There are two important takeaways from these government initiatives. First, the federal government sees the importance of nationwide standards to protect sensitive information critical to business operations and consumer personal security. Second, while nothing ever happens quickly when it involves the government, this methodical system of creating and updating these frameworks shows that security transformation takes a lot of thought, a lot of planning and a lot of time.

Completing your organization should also be done in a methodical, deliberative manner. As security analysts repeat on a loop, there is no one-size-fits-all solution. There are risks that are similar and threat actors do have favored attack vectors and attack types. But, the threats facing your organization are uniquely yours, and it is time to transform your security program to meet your needs.

Where to get started

It begins with a thorough evaluation of what you are protecting, the biggest risk factors to your industry and business operations, the regulatory compliances you are required to follow and the type of threats and attacks you’ve dealt with in the past. Tools that offer full visibility into your infrastructure and that provide identity management solutions are a starting point. Deploying least privilege principles and MFA can be an immediate solution to one of the top security problems today — credential theft.

You may need a managed security service provider to help with your security transformation. The MSSP can provide a range of tools, like data loss prevention (DLP), extended detection and response (EDR) and identity and access management (IAM).

This is a good time to evaluate your security awareness program. There are new approaches to security awareness that gamify learning or treat training films more like entertainment for better retainment.

Where and how you begin your security transformation will depend on your organization’s security maturity. From there, it is both building on your strengths and addressing your weaknesses (and you’ll probably want to go with the latter first). The goal is to meet the threat actors where they are targeting their attacks right now and then anticipate how their attacks are evolving against your industry.

And if you aren’t sure how to shape your security transformation, don’t worry. This is one time when the government has the help you need.

The post NIST’s security transformation: How to keep up appeared first on Security Intelligence.

First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March.

The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD).

Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example, Jeff Moss, the founder of the Black Hat and DEFCON conferences, posted, “This is the first time I can remember seeing a document this high-level documenting initiatives, who is responsible for it and expected completion dates. Great job, ONCD!”

Moving from strategy to plan implementation

The National Cybersecurity Strategy outlined two main areas of emphasis for the nation’s cybersecurity. First is the need for more capable actors to bear more responsibility for cybersecurity. Second is the need to increase incentives to invest in long-term resilience.

Now, the NCSIP aims to ensure transparency and coordination among U.S. federal government agencies to bring the strategy to life. This will be a groundbreaking shift in how the government allocates roles, responsibilities and resources in cyberspace, along with incentives for long-term investments into cybersecurity.

The NCSIP outlines over 65 “high-impact” federal initiatives to carry out the National Cybersecurity Strategy. Each initiative is designated to a specific agency along with a completion deadline date. The initiatives include targeted tasks, such as proposing new legislation or updating technology systems. Overall, 18 federal agencies have been assigned different responsibilities within the plan.

Five pillars of the NCSIP

The National Cybersecurity Strategy Implementation Plan is based on five core pillars:

• Pillar one: Defending critical infrastructure. As per the plan, CISA will lead an update of the National Cyber Incident Response Plan. The goal is to more fully realize the policy that “a call to one is a call to all.” Guidance will also be extended to external partners on the roles and capabilities of federal agencies in incident response and recovery.
• Pillar two: Disrupting and dismantling threat actors. The FBI will work with federal, international and private sector partners to carry out disruption operations against the ransomware ecosystem. This includes virtual asset providers that enable the laundering of ransomware proceeds and web forums offering stolen credentials or other material support for malicious activities. CISA will offer training, cybersecurity services, technical assessments, pre-attack planning and incident response to high-risk targets of ransomware, like hospitals and schools.
• Pillar three: Shaping market forces and driving security and resilience. The plan emphasizes the need to increase software transparency to enable better insight into supply chain risk and hold vendors accountable for secure development practices. CISA will promote the reduction of gaps in software bill of materials (SBOM) scale and implementation. CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support software.
• Pillar Four: investing in a resilient future. The National Institute of Standards and Technology (NIST) will convene the Interagency International Cybersecurity Standardization Working Group to coordinate international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish the standardization of one or more quantum-resistant public key cryptographic algorithms.
• Pillar five: Forging international partnerships to pursue shared goals. The Department of State (DOS) will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities. The DOS will also work to develop staff knowledge and skills related to cyberspace and digital policy. The goal is to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.

Secure-by-design, secure-by-default

Under the first pillar of the plan (Defending critical infrastructure), CISA will lead public-private partnerships with tech companies, educators, nonprofits, academia and the open-source community to drive the development and adoption of software and hardware that is secure-by-design and secure-by-default.

Secure-by-design principles should be implemented during the design phase of a product’s development lifecycle. The goal is to significantly reduce the number of exploitable flaws before products are introduced to the market.

Secure-by-default means products are secure to use out of the box, with little to no configuration changes, and are available at no additional cost. Examples of tools include multi-factor authentication (MFA), gathering and logging evidence of potential intrusions and controlling access to sensitive information.

Threat intelligence

Under pillar two (Disrupting and dismantling threat actors), the NSC will lead a policymaking process to establish an approach for Sector Risk Management Agencies (SRMAs) to identify sector-specific intelligence needs and priorities.

Additionally, the Office of the Director of National Intelligence, in coordination with DOJ and DHS, will review policies and procedures for sharing cyber threat intelligence with critical infrastructure owners and operators. The need for expanding clearances and intelligence access will also be evaluated.

IoT labeling

Given the rapid proliferation of connected devices, IoT represents a huge security challenge. The perimeter in enterprise computing has never been larger or more liquid. IoT devices, both inside and outside corporate offices, share the same potential security risks. Meanwhile, consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.

As per the plan, the White House will continue to work towards improved IoT cybersecurity through federal R&D, procurement and risk management efforts. And the NSC will be tasked with identifying the “broad contours” of a U.S. Government Internet of Things (IoT) security labeling program.

Federal cyber grants and insurance

The plan also mentions something many organizations worry about – how to pay for modernization to meet new security standards. To address the economic need, the Administration will seek to leverage federal grants to improve infrastructure cybersecurity. The ONCD will develop materials to clarify, facilitate and encourage the incorporation of cybersecurity equities into federal grant projects.

Along similar lines, the plan will also assess the need for a federal cyber insurance response to catastrophic events. The response would be in support of the existing cyber insurance market.

A major step forward

While there is certainly a lot of work to be done, having a clear plan makes a big difference. The National Cybersecurity Strategy Implementation Plan is a major step in the right direction to address the growing cyber threat.

The post Cyber experts applaud the new White House cybersecurity plan appeared first on Security Intelligence.

In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve.

In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake.

Attributed to a unit of the Russian government Security Service, called Turla, the Snake malware operated for close to 20 years, stealing documents from governments, journalists and others in at least 50 countries and “laundering” that data through infected computers in the United States as part of a broad, ongoing cyber espionage operation.

To facilitate the success of Operation MEDUSA, the FBI created PERSEUS. This tool caused Snake malware to overwrite its own components, thereby hobbling itself.

In short, the FBI and its partners created something like malware with a payload that altered software on target computers. However, the altered software itself was the real malware.

It’s not the only time the FBI beat hackers by hacking. But this kind of aggressive, effective action might have been unthinkable ten years ago.

How the FBI Approaches Cyberattacks

The FBI maintains a division called the Cyber Division (CyD), responsible for investigating and prosecuting cyber crimes. The organization focuses on threats not only to the government and citizens but also to American companies.

More than 1,000 CyD agents and analysts work in 56 US field offices and over 350 sub-offices. They also travel globally in Cyber Action Teams to help foreign nations with cyber crime and learn about threats to US interests. The FBI also works with the major three-letter U.S. agencies, including the CIA, DHS and the NSA.

The bureau formally partners with U.S. industry. More than 600 Fortune 1000 companies participate in the FBI’s Domestic Security Alliance Council for sharing best practices and knowledge about emerging threats. The bureau’s InfraGuard program connects some 70,000 US professionals to protect the infrastructure of private industry. The bureau is part of numerous other groups for learning, teaching and coordinating cybersecurity practices.

CyWatch is the bureau’s 24/7, 365 days-a-year cyber center. There, professionals with a widely diverse set of skills coordinate domestic law enforcement responses to cyberattacks. It also manages the FBI’s own response to attacks.

The bureau’s Internet Crime Complaint Center (IC3) offers an open invitation to report cyber crimes, which the FBI may choose to investigate.

The FBI also maintains a Cyber’s Most Wanted list. This helps the global public identify and report the bureau’s most infamous suspects.

And, of course, the FBI uses its credibility and reach to warn the public about emerging threats, with guidance on what to do about them.

A great many organizations, governments and agencies fight cyber crime. But the FBI is in a unique position in part because of all the help it gets from tips, collaboration with US corporations and tech companies, foreign law enforcement agencies and other US agencies.

And in recent years, it’s utilized that cooperation to even greater effect.

Major FBI Disruptions Over the Past Ten Years

Here are just a few of the FBI’s cases that disrupted cyberattacks globally.

2013

Silk Road: The FBI took over the darknet marketplace that specialized in the sale of illegal drugs and other contraband, called Silk Road, and arrested founder Ross Ulbricht.

Citadel Botnet: The FBI and international law enforcement agencies took out more than 1,400 instances of the banking fraud Citadel Botnet, which installed a keylogger on some five million computers with the end goal of stealing money from banks. The perpetrator, Dimitry Belorossov, was arrested in Spain, extradited to the United States, tried, convicted and imprisoned.

2014

Cryptolocker and Gameover Zeus: The FBI was part of an international effort to disrupt the Gameover Zeus banking fraud botnet that distributed Cryptolocker ransomware.

2015

Darkode dark web forum: The FBI coordinated an effort among law enforcement agencies in 20 countries called Operation Shrouded Horizon to take down an online forum called Darkode, which brought together people looking to buy or sell credit card information, server credentials, hacking tools, malware, botnets and other resources useful for malicious criminal behavior. It was also a forum for the sharing of knowledge and ideas for committing cyber crimes. After law enforcement infiltrated the closed site and gathered evidence there, they arrested dozens of Darkode associates and charged them. A dozen were indicted by the United States.

2016

Avalanche Network: The FBI and international law enforcement agencies dismantled the Avalanche network, which was used for worldwide crime sprees based on phishing attacks and the distribution of malware. Estimates say Avalanche infected some 500,000 computers and caused hundreds of millions of dollars in losses. Threat actors specifically designed it to block detection by law enforcement and cybersecurity specialists.

2017

AlphaBay and Hansa: The FBI and international partners shut down these dark web marketplaces, which were both used for the sale of illegal products like drugs, weapons, stolen data and more. Major players were arrested and convicted.

2018

Operation reWired: Working with international law enforcement, the FBI disrupted a global business email compromise (BEC) fraud scheme. Some 281 suspects were arrested in multiple countries.

2021

REvil/Sodinokibi: The FBI disrupted the REvil/Sodinokibi ransomware group, which compromised the global meat processing company JBS and also the Kaseya software company.

Emotet and NetWalker: The FBI neutralized the Emotet malware spread and a ransomware variant called NetWalker.

2023

Hive Ransomware Group: A global law enforcement operation spearheaded by the FBI shut down a Russia-linked Ransomware-as-a-Service (RaaS) group called Hive. The group had been selling ransomware services and tools since the Summer of 2021, raking in some $100 million from over 1,500 victims (including hospitals) in 80 countries. The operation lawfully “hacked the hackers,” according to Deputy Attorney General Lisa O. Monaco. The FBI took over Hive’s digital infrastructure completely, locking the perpetrators out. The FBI also distributed encryption keys to victims.

Barriers to More Effective FBI Cyber Law Enforcement

Former and disgruntled employees have criticized the FBI over its approach to cyber crime. First and foremost, the FBI has a long history of expecting all agents to be able to do just about any job within the agency, with non-technical people sometimes working in the cyber division and cyber experts working other kinds of crime in the field. This doesn’t work for a highly specialized realm like cybersecurity, say critics.

Also, some cybersecurity pros claim that the FBI isn’t culturally compatible with fighting cyber crimes. The culture of the FBI, they say, favors fast, thorough investigations resulting in arrests and convictions. Cyber investigations can take years and result in zero arrests when the perpetrators are in non-cooperating nations. And so those inside wanting to pursue such cases have needless internal barriers.

And the FBI itself has been hacked; databases of FBI personnel and its partners were recently breached in two separate attacks in one week, for example.

Despite these barriers, the bureau’s track record remains impressive.

How the FBI’s Approach to Cyber Crime Has Changed

Ten years ago, financial frauds and dark web marketplaces dominated the cyber crime landscape. Over the years, it transitioned to a larger threat from ransomware attacks, which grew increasingly “professional,” pernicious and costly. Business email compromise, investment scams, call center fraud and, of course, ransomware remain the most common threats. Most of these involve social engineering.

Some of the most sophisticated and broadly harmful attacks originated with state-sponsored actors, primarily Russia, China, Iran and North Korea.

Over time, most cyberattacks have three main goals. The biggest is money. From fraud to ransomware attacks, malicious actors in the “private sector” and also from cash-strapped North Korea are looking for huge paydays facilitated by cryptocurrencies. Ransomware is extremely lucrative. So when law enforcement shuts down ransomware gangs, they tend to come back.

The other two goals are pursued by state-sponsored actors looking to steal intellectual property and government secrets. In the case of China, they want everything from hospital patient records to the personal information of Americans with security clearances. State-sponsored actors want to learn about U.S. networks where the knowledge could be useful during a future hot war or cold cyber warfare.

As we enter a new world of AI-enhanced cyber crime, the FBI’s role will doubtlessly prove more vital than ever.

The post How the FBI Fights Back Against Worldwide Cyberattacks appeared first on Security Intelligence.

The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines.

The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to build risk management strategies.

When used as a risk management resource, the CSF can be applied in the context of the National Cybersecurity Strategy’s five pillars, Pascoe said. Those pillars are:

• Defend critical infrastructure
• Disrupt and dismantle threat actors
• Shape market forces to drive security and resilience
• Invest in a resilient future
• Forge international partnerships to pursue shared goals.

One of the main goals of CSF is to allow organizations to build their cybersecurity strategy by identifying risk and improving the process of risk management. The updated framework will emphasize improved risk management — crucial in the modern cybersecurity landscape.

Governance Function

The original CSF has five functions: identify, protect, detect, respond and recover. CSF 2.0 will add a sixth function: govern.

This one function elevates the importance cybersecurity risk management plays in business and compliance outcomes. The governance function will focus on policies and procedures and security team roles and responsibilities. The desired outcome is for organizations to assess and prioritize risk based on policies and then define the responsibilities of team members in addressing potential threats.

The govern function includes a section focused primarily on risk management. Whereas in previous versions of the CSF, risk management was covered under a different function (identify), it is now covered more entirely under the govern function with its own subcategory. The discussion draft version of CSF 2.0 lists the following directives:

• GV.RM-01: Cybersecurity risk management objectives are established and agreed to by organizational stakeholders.
• GV.RM-02: Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders and managed.
• GV.RM-03: Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment.
• GV.RM-04: Cybersecurity risk management is considered part of enterprise risk management.
• GV.RM-05: Strategic direction describing appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations and risk acceptance, is established and communicated.
• GV.RM-06: Responsibility and accountability are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed and maintained.
• GV.RM-07: Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.
• GV.RM-08: Effectiveness and adequacy of cybersecurity risk management strategy and
  results are assessed and reviewed by organizational leaders.

GV.RM-05 through 08 are new additions to CSF 2.0, created for this new function.

Leadership

Well-defined leadership roles go hand-in-hand with the governance function. Under its roles and responsibilities section, standard GV.RR-01 states, “Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner and promotes continuous improvement.”

Supply Chain

The supply chain and its security risk have been a hot topic for a while. A few years ago, NIST added guidelines around supply chain security to the CSF. In CSF 2.0, the guidelines will be expanded to cover supply chain risk management. This follows other government initiatives to add more security to the supply chain. Although the CSF hasn’t offered specific parameters for risk management of the supply chain, different scenarios will likely provide examples of risks and functions designed to address threats.

Risk Management Tiers

These probable changes and updates to CSF will enhance the four framework implementation tiers, which NIST defines as “a lens through which to view the characteristics of an organization’s approach to risk — how an organization views cybersecurity risk and the processes in place to manage that risk.”

The tiers cover four different levels of an organization’s risk management program: partial, risk-informed, repeatable and adaptive. The tiers measure how the organization integrates its decisions around cybersecurity risk into overall business risks. The framework implementation also looks at how the company shares risk information with third parties.

Organizations self-govern their risk management journey. They determine the tier that best fits the current risk governance levels that meet business goals. However, these tiers aren’t just a definition of cybersecurity maturity. Rather, they allow the company to take a broader view of its overall cybersecurity risk tolerance. As the organization follows the framework, it can build a risk profile and develop a target profile to strive for.

How Will CSF 2.0 Continue to Evolve?

The updated CSF 2.0 puts a stronger emphasis on risk management. By emphasizing supply chain risk and security, it also follows guidelines released by other areas of the federal government. On the surface, it looks like there is finally cohesiveness in the U.S.’s cybersecurity approach, particularly carving a niche for cybersecurity risk management across government agencies and private industries.

This doesn’t mean that CSF 2.0 is perfect. There are risk areas that still need attention, such as the governance of remote work. Risk management standards aren’t designed to address fully remote or hybrid workforces.

And just as CSF 2.0 has recognized that supply chain security is adding higher levels of risk to organizations, it needs to step up to address the burgeoning threats from artificial intelligence, specifically generative AI. Generative AI exploded onto the scene after the CSF 2.0 process was well underway; now, it is impossible to ignore.

Perhaps it is too late to provide clear guidance around AI’s potential risk and offer a security framework, but it can’t be set aside for too long. The threat potential is looming, and organizations will soon be looking for guidelines on how to manage risks introduced by this new technology.

The post How NIST Cybersecurity Framework 2.0 Tackles Risk Management appeared first on Security Intelligence.

The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established.

Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points of view shift based on the political and geopolitical landscape, as well as the rise and fall of cyber threats.

Who supports the arrangement

Those inside the NSA and Cybercom, as well as key lawmakers, favor keeping the dual-hat leadership. DefenseScoop notes that the initial leadership agreement made sense. Both organizations are inside the same Fort Meade, Maryland, location. At its birth, Cybercom required NSA personnel, experience and infrastructure to grow. The assumption was that Cybercom would eventually grow large and powerful enough to stand alone and justify having its own separate leadership structure.

In practice, however, the dual role enabled faster decision-making, which can be crucial in defeating cyber threats. Rep. Jim Langevin, current chair of the House Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems, supports the arrangement, saying, “I think the dual-hat arrangement benefits both organizations and provides the infrastructure and expertise that helps both Cyber Command and the NSA achieve success in their individual missions.”

Sen. Mike Rounds, ranking member of the Senate Armed Services Subcommittee on Cybersecurity, voiced similar praise in the article, noting that without the dual-hat arrangement, “You would have two separate bureaucracies who would clash on a daily basis about the use of the tools, about the coordination of efforts, about the protection of their own silos.”

An October 2022 report drafted by a four-person group led by retired Gen. Joseph Dunford Jr., a former chair of the Joint Chiefs of Staff, did not give an official recommendation about keeping the arrangement. However, he argued strongly for the benefits derived from it. A Director of National Intelligence spokesperson noted the report showed benefits of the structure and found no adverse impacts that would justify terminating or splitting the role.

Arguments against the dual-hat role

There’s also opposition to the arrangement and has been since the organization was created. Some feared the combined role was simply too powerful for one person. The same concern exists today as Cybercom’s role becomes larger, addressing wide-ranging societal concerns like election security and ransomware. Those defenses are often made public, which raises another concern: Could Cybercom’s activities reveal too much about the NSA? As a spy agency, the NSA’s activities are meant to stay hidden. If Cybercom uses NSA tools, could that expose espionage activity?

Does a single leader benefit both agencies?

Army General Paul Nakasone currently holds the head role and has since 2018. Obviously, it’s in his self-interest to tout his own abilities, but he detailed the benefits in his Cybercom 2023 posture statement delivered to the U.S. Senate Armed Services Committee in March. His statement quotes the October 2022 report noting “substantial benefits that present compelling evidence for retaining the existing structure.” He also states that “protecting the national security of the United States in cyberspace would be more costly and less decisive with two separate organizations under two separate leaders.”

The statement notes successful collaborations between the NSA and Cybercom, including defense of the 2022 midterm election. Nakasone maintains that “foreign attempts to meddle in our electoral process via cyber means escalated in 2016 and have persisted in every election cycle since.” The goal of this collaboration has been to “render these campaigns inconsequential,” meaning they would have no effect on election outcomes. The result was that the “2022 midterms progressed from primaries to certifications without significant foreign malign influence or interference.”

Nakasone also outlined efforts to hinder state-sponsored cyberattacks from China, Russia, Iran and other cyber criminals. He notes that as a result, the organization “made partner-nation networks more secure; increased our global cybersecurity partnerships; led to the public release of more than 90 malware samples for analysis by the cybersecurity community and ultimately kept us safer here at home.”

Demonstrable successes have to date, prevented splitting this role, but the issue continues to come up.

Will a split still happen? If so, what is the holdup?

Even with general agreement that the dual-hat arrangement works, consensus also seems to be that the split will happen eventually in line with the original vision for Cybercom. In 2016, over concerns that a split was imminent (and also premature), Congress legislated metrics that would have to be met before the split could happen. Among those metrics was that each organization would have its own systems in place to plan, de-conflict and execute military cyber and national intelligence operations. Both organizations also need separate tools for cyber operations, including the ability to acquire or create needed tools.

Cybercom has made gains on those metrics but has not fully achieved them yet. And, as long as the two organizations work successfully together and continue to achieve their separate but complementary missions, it’s unlikely there will be a significant push to change their operations.

What’s next for the NSA and Cybercom?

As required, both organizations continue to make progress toward the legislated metrics. Yet there appears to be no appetite for changing the leadership arrangement in the short term. What is on the short-term horizon? Gen. Nakasone plans to step down from the role sometime this year. The leadership role is generally held for four years, but Nakasone agreed to extend his tenure into 2023.

In May, U.S. Air Force Lt. Gen. Timothy Haugh was nominated as Nakasone’s replacement. Haugh currently serves as deputy commander at Cybercom. He helped spearhead some of the key initiatives at Cybercom, including election protection. The role requires Senate confirmation, but Sen. Tommy Tuberville is currently blocking all military nominations, with 200 nominations currently pending due to his block. Haugh’s appointment and Nakasone’s retirement plans remain in the air until that stalemate ends.

The post Why keep Cybercom and the NSA’s dual-hat arrangement? appeared first on Security Intelligence.