Exploring the Implications of the New National Cyber Strategy: Insights from Security Experts

/by

In March 2023, the Biden Administration announced the National Cybersecurity Strategy, which takes a more collaborative and proactive approach.

RedSeal teamed up with cyber security experts, Richard Clarke, founder and CEO of Good Harbor Security Risk Management, and Admiral Mark Montgomery (ret.), senior director of the Center of Cyber and Technology Innovation, to discuss the latest strategy. Both have developed previous national cybersecurity strategies so we couldn’t be more privileged to hear their take on the newest national strategy’s impact on cybersecurity regulations. This blog covers the importance of harmonizing the rules, trends in resilience planning, the role of cyber insurance, the transfer of liability, and the need to keep pace with AI and quantum computing. Keep reading to learn more, or click here to listen in.

Expanding Cybersecurity Regulations

Although this is the first time the administration gives a clear and intentional nod to cybersecurity regulations, the federal government has regulated every other major sector for over 20 years. This step makes sense. Clarke points out, sectors with heavy cyber regulations have fared better in the past two decades than those without. Montgomery predicts that most changes will happen in areas where regulations are lagging, such as water, oil pipelines, and railroads.

But many agencies don’t have the resources for effective enforcement. The government must thus use a combination ofregulations, incentives, and collaboration to achieve meaningful outcomes.

The Importance of Harmonizing the Rules

The new strategy aims to “expand the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonize regulations to reduce the burden of compliance.” But the expansion of cybersecurity regulations must come hand in hand with better coordination.

Clarke observes, today’s regulations aren’t well-coordinated. Agencies must share lessons learned and align their approaches. Private sectors will benefit from the standardization of various regulations to streamline compliance, reducing cybersecurity complexity and lowering costs.

However, coordination and standardization doesn’t mean a one-size-fits-all solution. Agencies must tailor their regulations to each specific sector. The good news is that we can apply the same network security technologies to any industry and encourage knowledge-sharing across verticals. For instance, we can take the high standards from the defense industry and apply them to healthcare and transportation without reinventing the wheel.

A Focus on Resilience Planning

The cybersecurity definition of resilience has evolved as the world has become more digital. We will get hacked. It is a certainty. Instead of only looking to protect systems from attacks, regulatory mandates must also focus on prompt recovery. The government should also hire industry experts to assess digital resilience plans and stress-test them for reliance.

Cyber resilience must be applied to national security as well as private business. Transportation infrastructure must be able to operate without extended interruption. The economy (e.g., the power grid and financial systems) is our greatest weapon, and must keep functioning during conflicts and crises. Lastly, we must have the tools to quickly and effectively battle disinformation, a new frontier in the fight against nation-state threats.

The Impact of the Internet of Things (IoT)

Regulations must also cover IoT devices, but focus on the networks instead of the thousands of individual endpoints. Clark suggests that organizations should install sensors on their networks and conduct regular vulnerability scans. Montgomery adds to this, emphasizing the need for certification and labeling regimens as part of a long-term plan to make vendors responsible for their products’ performance and security.

Shifting Liability to Vendors

Speaking of making vendors responsible for their products’ performance and security, the new strategy intends to transfer liability to software vendors to promote secure development practices, shift the consequences of poor cybersecurity away from the most vulnerable, and make our digital ecosystem more trustworthy overall.

Clarke agrees that this approach is necessary, but holds that the current regulatory framework can’t support the legal implementation. IT lobbyists, some of the most well-funded and influential players on Capitol Hill, will make enforcement of such a shift an uphill battle. Clarke believes that, unfortunately, this hard but necessary shift may not happen until a tragedy shakes the nation and leaves it the only way forward.

Keeping Pace with AI and Quantum Computing

We, as a nation, have many issues to consider around AI, including beyond security. Clarke points out that we must establish rules about transparency: what’s the decision-making process? How did AI get to a conclusion? Is it searching an erroneous database? Is the outcome biased? Large language models (LLMs) are constantly learning, and adversaries can poison them to impact our decision-making.

While AI is the big problem of the moment, we can’t afford to continue ignoring quantum encryption challenges, cautions Montgomery. We have already fallen behind and must spend a substantial sum today to prepare for what’s in store in 10 years. We must start building quantum security into our systems instead of attempting to jury-rig something on later, adds Clarke.

The Rise of Cyber Insurance and Real-time Monitoring

Montgomery predicts that, if run properly, the cyber insurance market can bring these pieces together. Insurance companies may, for instance, encourage proactive measures by reducing premiums for organizations that invest in cybersecurity upfront and establish a track record of reliability and resiliency.

But organizations must prove they’re continuously protected instead of merely showing “point in time” compliance to take advantage of lower premiums. Real-time monitoring will play a critical role in lowering premiums and maintaining cybersecurity.

A Step in the Right Direction

The new National Cyber Strategy introduces timely and much-needed shifts. We must harmonize regulations to maximize the benefits without overburdening the private and public sectors.

In anticipation of the impending changes, organizations must approach their cybersecurity strategies proactively and implement the right tools and services to stay compliant. These include a comprehensive network security solution for complete visibility and ongoing monitoring, cloud security tools to protect all IT assets, and professional services to ensure airtight implementation and continuous compliance.

RedSeal has extensive expertise and experience in delivering government cybersecurity and compliance solutions. Get in touch to see how we can help you stay ahead in today’s fast-evolving digital environment.

Advisory Notice: MOVEit Transfer Critical Vulnerability

/by

CVE: CVE-2023-35708

Description:

Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment. In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

Recommended Mitigation Steps:
  1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
      • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
      • It is important to note that until HTTP and HTTPS traffic is enabled again:
        • Users will not be able to log on to the MOVEit Transfer web UI.
        • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
        • REST, Java and .NET APIs will not work.
        • MOVEit Transfer add-in for Outlook will not work.
      • SFTP and FTP/s protocols will continue to work as normal.
  2. As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. 
 
For more information on localhost connections, please refer to MOVEit Transfer Help: https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2023/page/Security-Policies-Remote-Access_2.html
  3. Apply the Patch
    As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same when staying on a major release to apply the patch.
  4. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment
  5. Please bookmark the Progress Security Page and refer to it to ensure you have all of the latest updates.
How Can RedSeal Help?
  • By bringing Host Data into your RedSeal instance, we can identify hosts with the targeted CVE in both the “Endpoint Data” tab, as well as the “Vulnerabilities” tab.
  • First be sure to update your CVE definitions on your endpoint scanning system and run a data collection in RedSeal.
  • If the vulnerability does not show up at first, try changing the radio button to “Show All Vulnerabilities”
  • Next, search specifically for the CVE in question:
  • In the bottom details pane, you will get a list of hosts that are affected by the MOVEit vulnerability. Right click on a device and select “Show in Maps and Views”:
  • Now that you have identified which subnets these hosts live on, you can run detailed path queries from “Untrusted” to the subnet and IP in question, on TCP ports 80 and 443, to find out which firewalls are in the path and should have blocks placed on them.
Alternative Steps

An alternative method to obtain a comprehensive list of network segments is to use the Zones and Policies feature in RedSeal. Following steps 1-4 above:

  • Set up a new view in Zones and Policies and have Group A be “Untrusted”, and Group B be “Affected Hosts”.
  • Add all your Untrusted Subnets to the “Untrusted” group, and all the hosts to your “Affected Hosts” group.
  • Set up access rules between the two, such as “Approval Required”, or “Access Forbidden”, and run analysis.

Once complete, you will have a comprehensive listing of every source that can get to the specific destinations, and even run detailed path queries directly from that menu to find your firewall rules.

The Shifting Landscape of Cybersecurity: Top Considerations for CISOs

/by

1. AI Is Changing the Game

The increasing use of generative AI tools such as ChatGPT comes with both defensive and offensive impacts. On the defensive side, companies can leverage these solutions to analyze security data in real time and provide recommendations for incident response and security vendors developers can write code faster. As for the offensive impact, attackers may be able to optimize malware coding using these same AI tools or leverage code released unknowingly by a security vendor’s developer. If malicious actors can hide compromising code in plain sight, AI solutions may not recognize the potential risk. And if hackers ask generative AI to circumvent network defenses leveraging code released unknowingly, the impact could be significant.

As a result, according to The Wall Street Journal & Forbes, JPMorgan Chase, Amazon, Bank of America, Citigroup, Deutsche Bank, Goldman Sachs and Wells Fargo are limiting employees’ ChatGPT use and we expect to see other companies follow.

2. Market Forces Are Shaping Security and Resilience

The looming economic recession is shaping corporate practices around security and resilience. While many IT teams will see their budgets unchanged or even increased in 2023 compared to 2022, security professionals should also expect greater oversight from C-suite executives, including chief information officers (CIOs), chief information security officers (CISOs), and chief financial officers (CFOs).

Both CIOs and CISOs will expect teams to justify their spending rather than simply giving them a blank slate for purchasing, even if the budget is approved. CFOs, meanwhile, want to ensure that every dollar is accounted for and that security solutions are helping drive business return on investment.

Consider network and cloud mapping solutions that help companies understand what’s on their network, where, and how it’s all connected. From an information security perspective, these tools have value because they limit the frequency and severity of IT incidents. But from a CFO perspective, the value of these tools ties to their ability to save money by avoiding the costs that come with detection, remediation, and the potential reputation fallout that occurs if customer data is compromised and acts as a force multiplier across multiple teams.

3. Multiple Vendor Architecture Is Everywhere

Firewall options from cloud vendors do not meet the enterprise’s security requirement. Enterprises are deploying traditional firewalls (ex. Palo Alto Network, Cisco or Fortinet) in their clouds. They are using cloud workload protection tools from vendors such as Crowdstrike or SentinelOne.

On-premises or cloud deployments cannot be treated in a silo. An adversary could get in from anywhere and go anywhere. The infrastructure has to be treated as one with proper segmentation. Pure-play cloud companies are also switching to on-premises collocated data centers to save on their rising cloud costs.

4. Public Oversight Impacts Private Operations

The recently announced National Cybersecurity Strategy takes aim at current responsibilities and long-term investments. According to the Strategy, there must be a rebalancing of responsibilities to defend cyberspace that shifts away from individuals and small businesses and “onto the organizations that are the most capable and best-positioned to reduce risks for all of us.” The strategy also recommends that businesses balance short- and long-term security investments to provide sustained defense over time.

To help companies achieve these goals, the Cybersecurity and Infrastructure Security Agency (CISA) recently released version 1.0.1 of its cross-sector cybersecurity performance goals (CPGs). Many of these goals fall under the broader concept of “security hygiene,” basic tasks that all companies should complete regularly but that often slip through the cracks.

For example, CPG 2.F recommends that companies use network segmentation to limit the impact of Indicator of Compromise (IOC) events. CPG 1.A, meanwhile, suggests that companies inventory all IT and OT assets in use, tag them with unique identifiers, and update this list monthly.

While no formal announcements have been made, it’s possible that under the new strategy, CISA will shift from providing guidance to enforcing regulatory expectations. For example, FDA may mandate pharmaceutical companies to submit their compliance to CISA CPGs.

5. IT and OT Meet in the Middle

RSA 2023 also touched on the continued merger of IT and OT environments. For many companies, this is a challenging shift. While IT solutions have been navigating the public/private divide for years, many OT frameworks are still not designed to handle this level of connectivity.

The result? A rapidly increasing attack surface that offers new pathways of compromise. Consider an industrial control system (ICS) or supervisory control and data acquisition (SCADA) system that was historically air-gapped but now connects to internal IT tools, which in turn connect to public cloud frameworks. If attackers are able to compromise the perimeter and move laterally across IT environments into OT networks, they will be able to encrypt or exfiltrate customers’ personal and financial data. Given the use of trusted credentials to access these systems, it could be weeks or months before companies notice the issue.

To mitigate the risks, businesses are looking for ways to segment IT and OT plus continuously validate segmentation policies are met. This starts with the discovery and classification of OT devices along with the development of standards-based security policies for both IT and OT functions. These two networks serve different aims and need to avoid the risk of any lateral movement between the networks.

Old, New, and Everything in Between

OT threats are on the horizon, companies need to prioritize basic security hygiene, and economic downturns are impacting IT budgets. These familiar frustrations, however, are met by the evolution of AI tools and the development of new national strategies to combat emerging cyber threats. As we look towards the second half of the year, the lessons learned can help companies better protect what they have and prepare for the next generation of cybersecurity threats. Take on the new cybersecurity landscape with RedSeal. Reach out to see how we can help you. 
[/av_textblock]