Thus, while on its face, many of the new requirements within the Order are aimed at federal agencies and government subcontractors, the ultimate goal appears to be to create a more unified national cybersecurity defense across all sectors. In this installment of our blog series, I will outline recommended steps for private sector organizations to prepare for compliance with the Order, as well as general best-practice tips for adopting a more preemptive approach to cybersecurity.
First and foremost, organizations must understand their current cybersecurity posture. Given the severity and volume of recent cyberattacks, third-party in-depth or red-team assessments should be done that would include not only the organizations IT assets, but also include solutions providers, vendors, and suppliers. Red teaming is the process of providing a fact-driven adversary perspective as an input to solving or addressing a problem. In the cybersecurity space, it has become a best practice wherein the cyber resilience of an organization is challenged by an adversary or a threat actors perspective. Red-team testing is very useful to test organizational policies, procedures, and reactions against defined, intended standards.
A third-party assessment must include a comprehensive remote network scan and a comprehensive internal scan with internal access provided or gained with the intent to detect and expose potential vulnerabilities, exploits, and attack vectors for red-team testing. Internal comprehensive discovery includes scanning and running tools with the intent to detect deeper levels of vulnerabilities and areas of compromise. Physical intrusion tests during red-team testing should be conducted on the facility, networks, and systems to test readiness, defined policies, and procedures.
The assessment will evaluate the ability to preserve the confidentiality, integrity, and availability of the information maintained and used by the organization and will test the use of security controls and procedures used to secure sensitive data.
To accurately assess your organizations risk, you first have to know who your vendors, partners, and suppliers are with whom you share critical data. Many organizations rely on a complex and interconnected supply chain to provide solutions or share data. As noted above, this is exactly why the Order will eventually broadly impact the private sector. While on its face, the Order only seems to impact federal government and subcontractor entities, those entities data infrastructures (like most today) are interconnected environments composed of many different organizations with complex layers of outsourcing partners, diverse distribution routes, and various technologies to provide products and services all of whom will have to live up to the Orders cybersecurity standards. In short, the federal government is recognizing that its vendors, partners, and suppliers cybersecurity vulnerabilities are also its own. The sooner all organizations realize this the better.
According to recent NIST guidance, Managing cyber supply chain risk requires ensuring the integrity, security, quality, and resilience of the supply chain and its products and services. NIST recommends focusing on foundational practices, enterprise-wide practices, risk management processes, and critical systems. Cost-effective supply chain risk mitigation requires organizations to identify systems and components that are most vulnerable and will cause the largest organizational impact if compromised.
In the recent attacks, hackers inserted malicious code into Orion software, and around 18,000 SolarWinds customers, including government and corporate entities, installed the tainted update onto their systems. The compromised update has had a sweeping impact, the scale of which keeps growing as new information emerges.
Locking down your networks, systems, and data is just the beginning! Inquiring how your supply chain implements a Zero Trust strategy and secures their environment as well as your shared data is vitally important. A cyber-weak or compromised company can lead to exfiltration of data, which a bad actor can exploit or use to compromise your organization.
Third-party assessors should deliver a comprehensive report of their findings that includes the descriptions of the vulnerabilities, risks found in the environment, and recommendations to properly secure the data center assets, which will help companies stay ahead of the Orders mandates. The reports typically include specific data obtained from the network, any information regarding exploitation of exposures, and the attempts to gain access to sensitive data.
A superior assessment report will contain documented and detailed findings as a result of performing the service and will convey the assessors opinion of how best to remedy vulnerabilities. These will be prioritized for immediate action, depending upon the level of risk. Risks are often prioritized as critical, high, medium, and low risk to the environment, and a plan can be developed based upon these prioritizations for remediation.
As outlined in Section 3 of the Order, a Zero Trust strategy is critical to addressing the above steps, and must include establishing policy, training the organization, and assigning accountability for updating the policy.
Defined by the National Security Agency (NSA)s Guidance on the Zero Trust Security Model: The Zero Trust model eliminates trust in any one element, node, or service by assuming that a breach is inevitable or has already occurred. The data-centric security model constantly limits access while also looking for anomalous or malicious activity.
Properly implemented Zero Trust is not a set of access controls to be checked, but rather an assessment and implementation of security solutions that provide proper network and hardware segmentation as well as platform micro-segmentation and are implemented at all layers of the OSI (Open Systems Interconnection) model. A good position to take is that Zero Trust should be implemented using a design where all of the solutions assume they exist in a hostile environment. The solutions operate as if other layers in a companys protections have been compromised. This allows isolation of the different layers to improve protection by combining the Zero Trust principles throughout the environment from perimeters to VPNs, remote access to Web Servers, and applications.
For a true Zero Trust enabled environment, focus on cybersecurity solution providers that qualify as Advanced in the NSAs Zero Trust Maturity Model; as defined in NSAs Cybersecurity Paper, Embracing a Zero Trust Security Model. This means that these solution providers will be able to deploy advanced protections and controls with robust analytics and orchestration.
In order to further modernize your organizations cybersecurity protection, consider full integration and/or replacement of some existing cybersecurity systems with ones that understand the complete end-to-end threats across the network. How can an organization implement confidentiality and integrity for breach prevention?
Solutions must have built-in protections leveraging multiple automated defense techniques, deep zero-day intelligence, revolutionary honeypot sensors, and revolutionary state technologies working together to preemptively protect the environment.
As noted above, Cyemptive recommends the above steps in order to take a preemptive, holistic approach to cybersecurity defense. Cyemptive recommends initiating the above process as soon as possible not only to comply with potential government mandates brought about due to President Bidens Executive Order, but also to ensure that organizations are better prepared for the increased cybersecurity threat activity we are seeing throughout the private sector.
- India has to augment tracking capabilities across geographies, protection of space assets: NSA Ajit Doval - Economic Times - October 11th, 2021
- Pentagon says NSA working with big companies on cyber information sharing - ETCIO.com - October 11th, 2021
- NSA competition asks children to help in the fight against sheep worrying by dogs - Agriland.co.uk - October 11th, 2021
- Kremlin refutes US NSA Sullivan's claims of Russia using energy resources as weapon - Republic World - October 11th, 2021
- 'Pakistan Should Be Confronted With International Isolation For Supporting Jihadist Terrorists': Former US NSA - Swarajya - October 11th, 2021
- Edward Snowden: CBDC Is a Perversion of Cryptocurrency - CryptoPotato - October 11th, 2021
- NSA director expects to be facing ransomware attacks 'every single day' in five years | TheHill - The Hill - October 7th, 2021
- Greenpoint This Week: Mo's General, NSA Noodle Bar and more - greenpointers.com - October 7th, 2021
- Zelis Helps Address New NSA and TiC Regulations - HealthLeaders Media - October 7th, 2021
- NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs - Hstoday - HSToday - October 3rd, 2021
- Winners of 2021 National Cross-Country race receive additional prizes from NSA - BusinessGhana - October 3rd, 2021
- We don't have any contract with NSA Kwame Baah Nuako - Myjoyonline - October 3rd, 2021
- Even the CIA and NSA Use Ad Blockers to Stay Safe Online - WIRED - September 27th, 2021
- Who's Worried About the State of Online Advertising? The NSA and CIA, For Starters. - InsideHook - September 27th, 2021
- Even the NSA Agrees: Targeted Ads Are Terrifying - Gizmodo - September 27th, 2021
- The NSA and the CIA use ad blocking tools to stay safe - BOB fm - September 27th, 2021
- NSA welcomes the lifting of a ban on British lamb imports by USA | News and Star - News & Star - September 27th, 2021
- Policies of Indian govt not in favor of entire region: NSA - Dunya News - September 27th, 2021
- JUMP Global Technology Advisors And IronNet Launch Strategic Initiative To Protect The Entertainment Industry From Cyber Attacks - Yahoo Finance - September 27th, 2021
- Opinion: You do have something to hide Scot Scoop News - Scot Scoop News - September 27th, 2021
- Edward Snowden releases statement against using ExpressVPN on his Twitter: Here's Why - Republic World - September 27th, 2021
- WTC attacks: Tale of how NSA failed to act on intel communications - The News International - September 12th, 2021
- Intelligence remains effective instrument in fighting insurgency NSA - Punch Newspapers - September 12th, 2021
- The low-down on the latest NSA Member ID and Advanced EOB Requirements - Healthcare Dive - September 12th, 2021
- Bikru ambush: NSA invoked against two aides of gangster Vikas Dubey - The Indian Express - September 12th, 2021
- The Other 20-Year Anniversary: Freedom and Surveillance Post-9/11 - EFF - September 12th, 2021
- INS Dhruv to be commissioned on September 10 by NSA Doval: All you need to know about the N-missile tracking ship - Jagran Josh - September 12th, 2021
- Actions of IT giants pave the way for states to monopolize data Snowden - TASS - September 4th, 2021
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption - The Register - September 4th, 2021
- The Scandalous History of the Last Rotor Cipher Machine - IEEE Spectrum - September 4th, 2021
- What does NSA, FWB, MBA mean? Modern dating lingo ... - August 26th, 2021
- NSA, Kazak security council secy discuss evolving situation in Afghanistan - Associated Press of Pakistan - August 26th, 2021
- Terrorists attacking Chinese nationals not to be spared: NSA - The News International - August 26th, 2021
- Back to inspections at NSA sheep sale at Builth Wells - The Scottish Farmer - August 26th, 2021
- Former NSA O'Brien: Every Serious Person Knows This Is Biden's Disaster - The Federalist - August 26th, 2021
- NSA boss appeals for increase in budget allocation to Sports Ministry - Myjoyonline - August 26th, 2021
- India steps up coordination with Russia on Afghan theatre as Deputy NSA visits Moscow - Economic Times - August 26th, 2021
- Afghanistan Turmoil: Indian national evacuation, UNHRC session to BRICS NSA meet- What you need to know abo... - Zee Business - August 26th, 2021
- On/Off: Super-Easy NSA Tips that Protect Your Phone from Hackers - 08/23/2021 - Mediarun Search - August 26th, 2021
- Buhari is not ready to leave office as failure -NSA - Internatinal Centre For Investigative Reporting - August 26th, 2021
- Embracing lifelong learning to keep active and socially connected - The Straits Times - August 26th, 2021
- Federal oversight of the Oakland Police Department may be nearing its end, attorneys say - The Oaklandside - August 26th, 2021
- Full NSA Sullivan Interview: Kabul Evacuation Is Very Risky and Dangerous - The Global Herald - The Global Herald - August 26th, 2021
- Rubio takes an interest in the right's NSA conspiracy theory - MSNBC - August 6th, 2021
- Congress pressures US spy agencies as Tucker Carlson feuds with NSA - Yahoo News - August 6th, 2021
- Cybersecurity among '4 pillars of cooperation' in NSA meeting between India, SL, Maldives - Republic World - August 6th, 2021
- Congress pressures US spy agencies as Tucker Carlson feuds with NSA - Denver Gazette - August 4th, 2021
- NSA recommends rebooting a phone every week to stop hacking - The Indian Express - August 4th, 2021
- Worried about smartphone hackers? Turn your phone off, back on, says NSA - WRAL Tech Wire - August 4th, 2021
- Achievers: Sheriff elected to National Sheriffs Association Executive Committee - Oklahoman.com - August 4th, 2021
- Tucker Carlson asked for an interview with Putin at the time of the NSA spys allegations - Illinoisnewstoday.com - August 4th, 2021
- 3 Of The Most Pervasive Internet Surveillance Programs Ran By GCHQ And The NSA - Patheos - August 4th, 2021
- We havent invoked the National Security Act in wrong cases, says Yogi Adityanath - The Hindu - August 4th, 2021
- Simple action can thwart top phone hackers - York Dispatch - August 4th, 2021
- Andy Harris, GOP allies want answers from NSA on Tucker Carlson spy claims - The Star Democrat - July 21st, 2021
- Bill Posey Wants to Know if NSA is Spying on Tucker Carlson - Florida Daily - July 21st, 2021
- Manipur: Govt using NSA to silence citizens, says activist released after SC order - India Today - July 21st, 2021
- 'Pakistan being targeted through hybrid warfare,' NSA Yusuf says in briefing on Afghan 'abduction' incident - DAWN.com - July 21st, 2021
- The Week that Will Be - Lawfare - Lawfare - July 21st, 2021
- Former NSA director: U.S. needs a new approach to ransomware response - Healthcare IT News - July 18th, 2021
- Rep. Bill Posey Signs GOP Letter to Demand Answers From NSA About Illegally Spying on Fox News Host Tucker Carlson - SpaceCoastDaily.com - July 18th, 2021
- Home, But Not Free: NSA Whistleblower Reality Winner Adjusts to Her Release From Prison - The Texas Observer - July 18th, 2021
- Why NSA Vs Tucker Carlson Is An Alarm Bell For All Americans - The Free Press - July 18th, 2021
- Former NSA official Jen Easterly confirmed as director of CISA - Homeland Preparedness News - July 18th, 2021
- EXCLUSIVE: House Republicans Demand Information From NSA About Allegations The Agency Illegally Spied On Tucker Carlson - Daily Caller - July 18th, 2021
- Unjust provisions of UAPA and NSA have no place in 21st century - Inventiva - July 18th, 2021
- National Security Agency Dismisses Tucker Carlson Surveillance Claims - Variety - June 30th, 2021
- NSA, Cybercom Leader Says Efforts Have Expanded > US DEPARTMENT OF DEFENSE > Defense Department News - Department of Defense - June 30th, 2021
- Here's Why Momentum Investors Will Love National Storage (NSA) - Yahoo Finance - June 30th, 2021
- Ghaziabad assault case: NSA invoked against Samajwadi Party leader for making the viral video - Scroll.in - June 30th, 2021
- New Laws Are 'Probably Needed' to Force US Firms to Patch Known Cyber Vulnerabilities, NSA Official Says - Defense One - June 28th, 2021
- Retraction for the article Characterising Vascular Cell Monolayers Usi | NSA - Dove Medical Press - June 28th, 2021
- Amazon buys Wickr, a secure messaging platform even the NSA likes - SlashGear - June 28th, 2021
- Secretive NSA opens doors to new "collaboration center" as cyberthreats mount - CBS News - June 24th, 2021
- NSA Doval calls for action plan against Pak-based terror groups - The Tribune India - June 24th, 2021
- UP govt: Invoke NSA against those involved in religious conversion - The Indian Express - June 24th, 2021
- Pakistan NSA rules out meeting with Indian counterpart on margins of SCO meeting - Hindustan Times - June 24th, 2021
- NSA Publishes Report to Boost Security of Call Processing Systems - ExecutiveGov - June 20th, 2021
- Amit Shah chairs meet on J&K with NSA, heads of R&AW, IB and CRPF - India Today - June 20th, 2021
- Noida: Man faces NSA proceedings for selling fake remdesivir injections and fraud - The Indian Express - June 4th, 2021