The Cybersecurity & Infrastructure Security Agency (CISA) recently released its latest report — covering 2022 Cross-Sector Cybersecurity Performance Goals (CPGs). These goals demonstrate a continued focus on the cybersecurity and risk management of small to medium-sized companies. These businesses are dealing with budgetary and resource constraints yet fall victim to the same kind of attacks that bedevil enterprise companies. In this article, we’re going to talk about the report, why it’s important for organizations of all sizes, and share our top takeaways from their published suggestions.
What the CISA CPG report is (and isn’t)
The government knows that small to medium-sized companies are at high risk for cybersecurity threats – they often have minimal security and almost no standards to protect them. For organizations with little cybersecurity knowledge or for those confused by all the vendor noise, the CPGs can serve as a valuable starting point. Instead of being seen as comprehensive or strict regulatory guidelines, the CPGs are more like a set of minimum goals to help businesses meaningfully reduce the risks, both to their end-users and their critical infrastructure (CI).
Rather than worrying about every potential threat a business might encounter, these suggestions are meant to address the most common threats that would have the greatest impact. CISA calls the set of practices a “floor” for organizations, not a ceiling. While this means the advice is general, the benefit is that it can be applied across the board with minimal resource/budgetary requirements. Aside from the financial aspect, this is an advantage because it makes the first attempts at adding security measures to your company more straightforward. *
The cybersecurity landscape is constantly changing; accordingly, the CPGs will be updated every 6-12 months to reflect the latest best practices and identify new threats and defenses as they occur.
* For a more substantial set of rules than the CISA guidelines, organizations should look to NIST controls, which include 18 control families and 1000+ controls.
The performance goals are divided into 8 different categories and have been chosen to close the gaps that CISA sees as most urgent, especially for smaller businesses that can be less prepared for incoming threats.
To make it easier to sort through, we’ve provided a summary that includes recommendations for organizations, suggestions specific to Operational Technology and Industrial Control Systems (OT/ICS) teams being the exception. Let’s dive in!
1. Account security
Insecure accounts can leave the door open for cybercriminals to waltz on through. Every step added to the account authentication and authorization process will help improve your organization’s security.
- Monitor every unsuccessful login. Lock the account and alert the security team after a specified number of failed attempts in a given period for either a minimum amount of time or until it’s re-enabled by the team.
- Mandate an organization-wide policy to change default manufacturer passwords before hardware, software, and firmware is put on an internal or external network. If the password can’t be changed, compensating security controls should be put in place.
- Add multi-factor authentication (MFA) as a login layer. Hardware-based is preferred, with soft tokens (mobile app) as the runner-up. SMS MFA should be a last resort if nothing else is possible.
- Passwords should be at minimum 15 characters long, and organizations should think about implementing passphrases and password managers to help users abide by this rule. Length is more important than complexity or frequent rotations of passwords because current attacker tools can solve 8-character passwords rapidly.
- Administrators should have a dedicated account for administration and one for other user activities, such as business email and web browsing. Permissions should be evaluated regularly to determine necessity.
- Do not allow users to reuse passwords for different accounts, services, and applications. Machine and service accounts should also have separate credentials from member user accounts.
- When employees depart, revoke their credentials. Make sure they return any physical points of access (key cards, badges, tokens, etc.) and disable user accounts as well as other electronic access to resources within the organization.
2. Device security
While cleaning your house once a year as part of your new year’s resolution is great, a bit of cleaning every day can give you comfort all year round. Your cyber environment also gets dirty over time as users go about their work. Implementing these recommendations can help maintain order and reduce the attack surface for potential bad actors.
- Require employees to gain approval before installing or deploying new firmware, hardware, software, or new software versions on company devices. If possible, create and maintain a list of approved resources.
- Create a policy to disable Microsoft Office macros, as well as one that authorizes users to enable macros for specific assets. These steps can help limit the risk of spear phishing and malicious files.
- All organizational assets with an IP address should be inventoried and updated regularly, at least monthly, to unearth unknown (shadow) and unmanaged assets.
- No unauthorized media or hardware should be attached to IT assets, such as USB devices or other removable media.
- All critical assets should be documented with baseline and current configuration descriptions. If a cyberattack should occur, including this documentation can help your business get up and running more quickly because you won’t have to recreate asset configuration from memory. This process can also help you identify, solve, and mitigate vulnerabilities that may exist in your assets.
3. Data security
Nothing is more valuable than your data. To keep it safe, you need to protect it on the endpoint and in transit. You should also have a clear view of when data is being accessed as well as control of how it is stored. This is especially critical for sensitive data.
- Collect and store logs of activities related to access and security (firewall, IDS/IDPS, VPN) for detection and incident response purposes. If a critical source of logging is disabled, security teams should be alerted.
- These logs should be stored centrally in a database or a Security Information and Event Management (SIEM) tool. Authorized and authenticated users should be the only ones who can access and/or modify them.
- To protect data in transit, implement transport layer security (TLS) that is configured properly and up to date.
- Sensitive data should not be stored via plaintext anywhere organization-wide. Instead, it should be stored in a password/credential manager or vault with access available only to authenticated and authorized users.
4. Governance and training
If everyone is in charge, no one is in charge. Assigning a point person to manage cybersecurity leadership and training is essential to encouraging a culture of cyber resilience.
- Give one person in the organization the role of cybersecurity leadership and assign them the responsibility of resourcing, planning, and executing cybersecurity activities.
- Require basic cybersecurity training annually, at minimum, for all employees of the organization and contractors. The training should include basic concepts and facilitate a culture of cyber awareness and security.
5. Vulnerability management
Knowing when your locks are broken or a window is open, can keep your home safe. Staying informed about known exploited vulnerabilities, keeping in touch with security researchers, and performing tests to find potential issues will keep you one step ahead of cybercriminals.
- Patch or mitigate all known exploited vulnerabilitiesin internet-facing systems with priority placed on your most critical assets. Patching regularly and updating your systems in response to this information, will help prevent the popular infiltration tactics of the moment.
- Make it easy for security researchers to notify your organization of assets that may be vulnerable, exploitable, or misconfigured through a public method that is easily discoverable, such as a web form or email address. If validated and disclosed, public acknowledgment should go to the researcher who identified the issue. To make the process faster for researchers, all public-facing web domains should include a security.txt file that abides by RFC 9116 recommendations.
- Disable unnecessary network protocols and OS applications on internet-facing assets. Ensure public internet assets don’t expose services that could be exploited, such as a remote desktop protocol (RDP).
- Periodically assess your environment to find gaps against the latest attacker tactics, techniques, and procedures (TTPs). Any high-impact findings should be mitigated quickly and should not pop up on future tests.
6. Supply Chain / Third Party
Procurement is an important, but often missed, part of your overall security profile. Put some qualifying questions in place to clear service providers and vendors before employees and contractors can buy from them.
- Vendor selection should prioritize the more secure offering or supplier when evaluations on cost and function are about equal.
- Include a provision in procurement documents that requires vendors and service providers to notify the organization promptly in the event of security incidents and confirmed security vulnerabilities.
7. Response and recovery
Even though we’d like to be able to prevent every attack, that’s not possible. What happens when you experience a confirmed cybersecurity incident; and, perhaps more importantly, how do you get back to normal quickly?
- Establish a clear policy and procedure for reporting confirmed cybersecurity incidents to the proper external entities within regulated timeframes or as soon as able.
- Response plans should be created, maintained, updated, and tested regularly. Testing should feel as realistic as possible, be performed at least annually, and be followed by lessons learned and appropriate updates to the plan.
- Perform regular backups of all systems necessary for operations, once per year at least. Backups should be stored apart from source systems and tested at least once per year as well.
- Document network topology and any subsequent relevant information. Review and update the documentation periodically.
Here are a couple of additional tips for staying safe.
- Keep a documented list of threats and adversary TTPs based on your industry and demonstrate the ability to detect these threats.
- To reduce the risk of the most common email threats, enable STARTTLS, SPF, DKIM, and DMARC on corporate email infrastructure. DMARC should be set to “reject.”
Why small to medium companies should pay attention to CPGs
The CPGs are valuable to smaller companies for a couple of reasons – they can not only provide a security starting point, they can also help companies get funding for cybersecurity resources. Plus, following the guidelines set out by CISA can help reduce organizational cyber debt.
For companies that may be subject to additional regulation as they grow or future proposed regulation, it’s helpful to know that every security practice in the CPGs corresponds with a subcategory in the NIST CSF. While each subcategory is not fully addressed, it’s a great way to set your company up for further compliance in the future. It’s also important to note that if you’ve already adopted and implemented the NIST CSF, you don’t have to take additional steps – you will have met the suggestions in the CPGs.
In any case, the government is clearly concerned about the security (or lack thereof) of small to medium-sized companies, and the publishing of CPGs may be the start of additional regulatory activity. One piece of data security legislation, the American Data Privacy and Protection Act, has been proposed and could pass in Congress. This act could change privacy law country-wide and worldwide. Preparing your organization now with basic security measures and best practices is a great way to get a jump on any future legislation.
Overall, the CISA CPG report serves as a helpful document to guide priorities and build up cyber resilience. It’s a great starting point for those with little to no investment in cybersecurity. However, keep in mind that attackers don’t discriminate. They use the same techniques against small businesses as they do against the Fortune 500. You’ll need to continue to make investments to reach a true state of cyber resilience.
If you need reinforcements, a modern MSSP like SolCyber can help! Our modern managed security services can help you achieve cyber resilience quickly and easily, focusing on your most critical assets and helping you improve your security position in no time.
Let’s talk today!