Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Technology & Solutions
Threat Landscape
Vulnerabilities

CISA evaluates impact of CPGs in mitigating cyber risks for organizations

December 06, 2023
CISA evaluates impact of CPGs in mitigating cyber risks for organizations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified positive trends in two Cybersecurity Performance Goals (CPGs) across nearly 3,500 organizations enrolled in the agency’s Vulnerability Scanning service before April 1, 2022. The two CPGs are Mitigating Known Vulnerabilities (CPG Goal 1.E) and No Exploitable Services on the Internet (CPG Goal 2.W). Of note, these CPGs are particularly important in reducing the likelihood of damaging intrusions across IT and operational technology (OT) networks.

“In line with our Cybersecurity Strategic Plan and our focus on measuring risk reduction, CISA is measuring national progress in the adoption of CPGs and associated progress in addressing key risks,” Sandy Radesky, associate director for vulnerability management, Donnalee Beach, section chief for Cybersecurity Performance Goals, and Peter Colombo, deputy section chief for Cybersecurity Performance Goals, wrote in a CISA blog post. 

They added that before the release of CISA CPGs, the reduction trend in the average number of known exploited vulnerabilities (KEVs) was not consistent. “Since the release of CISA CPGs, the organizations enrolled in CISA’s vulnerability scanning service consistently decreased the average number of KEVs on their networks – the reduction average was almost 20 percent.”

Additionally, the decreasing trend shows the progress toward the recommended action of ‘patching or mitigating KEVs on internet-accessible assets’ within this CPG.

“For organizations enrolled in our vulnerability scanning service, CISA looked for trends in public-facing assets with exploitable services on the internet before CPGs and after CPGs were published,” the CISA executives wrote. “CISA identified that the vast majority of exploitable services exhibited modest declines (1 percent or less) among enrolled organizations.”

Specifically, they added that slight reductions were observed in services such as remote desktop protocol (RDP) and remote procedure call (RPC), which are common attack vectors threat actors use for initial access, ransomware distribution, command and control, and data exfiltration. 

Organizations enrolled in CISA’s vulnerability scanning continued to show progress with a reduction or maintained the average number of KEVs exposed per entity and gradual reductions in the percentage of entities exposing exploitable internet services.  CISA anticipates continued progress toward CPG implementation and risk reduction among organizations enrolled in vulnerability scanning.

“From April 1, 2022, to June 30, 2023, enrollment in CISA’s vulnerability scanning service increased nearly 69% – more than 5,900 participating organizations,” according to the CISA blog post. “On average, newly enrolled organizations decreased their vulnerability exposure by 20 percent within the first three months of vulnerability scanning.”

Last October, CISA released the CPGs to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined four CPGs that organizations could implement as first steps towards better cybersecurity

“While we continue to urge every organization to incorporate these fundamental cybersecurity practices, we are encouraged to see and share a few positive trends we’ve identified since they were released,” according to the agency.

Moving ahead, CISA identified that while these trends are progressing in the right direction, it acknowledges that there is room for improvement – this is only the beginning. “Moving forward, we plan to periodically update and expand our analysis of trends that will allow us to track progress and focus our collective efforts on areas that require attention,” it added.

The lead security agency also plans to introduce new services and capabilities to simplify CPG utilization and enhance the ability to track national and sector-specific progress. When an organization uses the CPGs, CISA and its partners can help them understand the specific things they need to do to effectively reduce the specific risks they have identified. Additionally, the agency’s regional cybersecurity advisors are a valuable resource that can help organizations assess their cybersecurity and implement CPGs.

Since the CPGs were rolled out, CISA has taken steps to encourage adoption, from the Ransomware Vulnerability Warning Pilot (RVWP) and the Shields Up campaign to its CPG Assessments.  These are intended to encourage the adoption of CPGs and reduce the prevalence and impact of cyber intrusions affecting American organizations.

“We are taking this journey together and we welcome your contribution,” the CISA executives wrote. “Organizations should consider enrolling (and staying enrolled) in our vulnerability scanning service and conducting a CPG Assessment, a module within our Cyber Security Evaluation Tool (CSET). This assessment can be self-administered or carried out with a regional CISA Cybersecurity Advisor.”

Last month, CISA provided a preview of an upcoming launch that will revolutionize how organizations assess their cyber risk and access tailored guidance based on the agency’s CPGs. Scheduled for release in early 2024, the innovative tool, ReadySetCyber, will streamline the integration of cybersecurity into an organization’s business decisions, regardless of their expertise or staff size.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings