The U.S. administration has made available an ‘Insider Risk Self-Assessment’ tool for critical infrastructure and the organizations that keep infrastructure operational. In addition, it released a cybersecurity information sheet that covers the selection and hardening of standards-based remote access VPN solutions to help secure the Department of Defense (DoD), national security systems, and the Defense Industrial Base (DIB).
The insider risk self-assessment tool, released by the Cybersecurity and Infrastructure Security Agency (CISA), comes in the form of a downloadable PDF that asks users key questions about their existing enterprise, focusing on the domains of program management, personnel and training, and data collection and analysis. The tool will assist owners and operators or organizations, especially small and mid-sized ones who may not have in-house security departments, to gauge their vulnerability to an insider threat incident.
Aimed at public and private stakeholders at the federal, state, local, and community levels, the interactive PDF allows users to receive scores representing maturity indicators that objectively evaluate their immunity to insider threat incidents. The response also includes guidance to interpret the numbers and provides suggested measures.
The National Security Agency (NSA) and CISA information sheet helps in the selection of standards-based VPNs from reputable vendors that have a proven track record of quickly remediating known vulnerabilities and following best practices for using strong authentication credentials. It also covers hardening the VPN (virtual private network) against compromise by reducing the VPN server’s attack surface by configuring strong cryptography and authentication, running only strictly necessary features, and protecting and monitoring access to and from the VPN.
VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-states advanced persistent threat (APT) hackers have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. The exploitation of these CVEs can enable a malicious hacker to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.
When choosing a remote access VPN, the DoD, national security systems, and the DIB must avoid choosing non-standard VPN solutions, including Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. They must ensure that the product supports strong authentication credentials and protocols, and disables weak credentials and protocols by default. Users must plan to use multi-factor authentication and select products that support the credentials to be used.
Users must also request and validate a product’s Software Bill of Materials (SBOM) so the risk of the underlying software components can be adjudicated. Many vendors use outdated versions of open-source software in their products, including many with known vulnerabilities. They must also check on the support timeframes to ‘cover the entire expected usage lifetime of the product,’ in addition to replacing the product before it becomes end-of-life.
After choosing and deploying the VPN solution, it is critical to further harden the VPN against compromise. This can be done by adopting strong, approved cryptographic protocols, algorithms, and authentication credentials using national security systems to use the algorithms in the NSA-Approved Commercial National Security Algorithm (CNSA) Suite.
Other hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List, employing strong authentication methods such as approved cryptographic protocols and multi-factor authentication, immediately apply patches and updates to mitigate known vulnerabilities that are often rapidly exploited, restrict external access to the VPN device by port and protocol, and reducing the VPN’s attack surface by disabling non-VPN-related features.
The latest resources from the US administration add to the slew of cybersecurity measures in recent times. Last week, CISA and the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) identified nine categories of recommended cybersecurity practices and used these categories as the foundation for preliminary control system cybersecurity performance goals.
In August, the administration set up a voluntary industrial control systems (ICS) initiative that envisages collaboration between the federal government and the critical infrastructure community to improve the security of the critical systems. The White House has also signed a national security memorandum that will enhance security for critical infrastructure control systems, focused on building cybersecurity and resilience of these systems.
OT threats are expected to increase in intensity and complexity, as organizations embrace new technologies, KPMG said in a recent insight. “Some examples include data analytics and machine learning, distributed control systems (DCS) virtualisation, and SCADA as a service (SCADA hosted on cloud). Such virtual machines and cloud models represent workloads that also require zero trust security.”
Only time will tell how OT security will evolve, but what is clear is that businesses must be prepared to adapt quickly to stay ahead of ill-intentioned adversaries, it added. “Meanwhile, quantum computing comes as a mixed blessing for OT systems. On [the] one hand, it enhances system performance and speed, while on the other, it allows adversaries to crack traditional encryption with greater ease,” KPMG added.