CISA advises securing web management interfaces from cyber threats with secure-by-design principles

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Wednesday its initial publication in the Secure by Design (SbD) Alert series, which focuses on malicious cyber activity against web management interfaces. It brings attention to how customers would be better shielded from malicious cyber activity targeting these systems if manufacturers implemented security best practices, eliminated repeat classes of vulnerabilities in their products, and aligned their work to SbD principles.

“One of the core principles we identified in our Secure by Design whitepaper is to ‘take ownership for customer security outcomes’,” wrote Eric Goldstein, CISA’s executive assistant director for cybersecurity, and Bob Lord, senior technical advisor, in a news post. “By identifying the common patterns in software design and configuration that frequently lead to customer organizations being compromised, we hope to put a spotlight on areas that need urgent attention. The journey to build products that are secure by design is not simple and will take time.”

The CISA executives added that they “hope Secure by Design Alerts will help software manufacturers evaluate their software development lifecycles and how they relate to customer security outcomes.”

Titled, ‘How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity,’ the new SbD alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles to take ownership of customer security outcomes and embrace radical transparency and accountability. 

By implementing these two principles in their software design process, software manufacturers can help their customers avoid the exploitation of vulnerabilities in web management interfaces at scale.

The alert begins by defining ‘secure by design’ to mean that software manufacturers build their products in a way that reasonably protects against malicious cyber actors successfully exploiting vulnerabilities in their products. Baking in this risk mitigation, in turn, reduces the burden of cybersecurity on customers. The exploitation of vulnerabilities in web management interfaces continues to cause significant harm to organizations around the world but can be avoided at scale. 

When it comes to taking ownership of customer security outcomes, the CISA SbD alert focuses on key areas where software manufacturers should invest in security: application hardening, application features, and default settings. When designing these areas, software manufacturers should examine the default settings of their products. For instance, if it is a known best practice to shield a system from the public internet, do not rely on customers to do so. 

Rather, have the product itself enforce security best practices. Such examples would include disabling the product’s web interface by default and including a ‘loosening guide’ that lists the risks, in both technical and non-technical language, which come with making changes to the default configurations. It also looks at configuring the product so that it does not operate while in a vulnerable state, such as when the product is directly exposed to the internet, and including a pop-up banner that requires administrators to click to acknowledge that they accept the risk of connecting a system to the internet. 

Additionally, CISA said that software manufacturers should conduct field tests to understand how their customers deploy products in their unique environments and whether customers are deploying products in unsafe ways. “This practice will help bridge the gap between developer expectations and actual customer usage of the product. Field tests will help identify ways to build the product so customers will securely use it. Furthermore, software manufacturers should consistently enforce authentication throughout their product, especially on critical interfaces such as administrator portals,” it added.

When it comes to embracing radical transparency and accountability, CISA called upon software manufacturers to lead with transparency when disclosing product vulnerabilities. 

It identified that to that end, “manufacturers should track the root cause of vulnerabilities and ensure CVE entries are complete and include the proper CWE field denoting the class of coding error that led to the vulnerability. Not only does this help customers understand and assess risk, but it also enables other software manufacturers to learn from mistakes fixed across the industry. Finally, software manufacturers should look to identify—and take action to eliminate—repeat classes of vulnerabilities in products.”

To shield their customers from malicious cyber activity targeting web management interfaces, software manufacturers should adopt the principles set forth in Shifting the Balance of Cybersecurity Risk and publish their own secure-by-design roadmap that demonstrates that they are not simply implementing tactical controls but are rethinking their role in keeping customers secure.

The lead cybersecurity agency has been active when it comes to safeguarding the nation from rising threats and attacks. This week, CISA provided the industry with a sneak peek into the launch of a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around the agency’s Cybersecurity Performance Goals (CPGs). Set to debut in early 2024, the tool called ReadySetCyber will simplify the process of incorporating cybersecurity into an organization’s business decisions, regardless of the level of expertise or the number of personnel on staff.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.