Goldstein suggests password changes, phishing-resistant MFA, incident response plans for better cybersecurity

Identifying the initial steps towards better cybersecurity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forward four goals that organizations can start executing. Eric Goldstein, CISA’s executive assistant director for cybersecurity laid down straightforward and essential practices including changing default passwords, implementing phishing-resistant multi-factor authentication (MFA), separating user and privileged accounts, and building incident response plans.  

“We know that no organization can adopt every possible cybersecurity measure or solution, but every organization can do something,” Goldstein wrote in a Friday blog post. “We also know that some cybersecurity measures are more effective than others in addressing the types of attacks that occur with the greatest frequency and impact. There’s no shortage of guidance, best practices, and standards, but we’ve heard from countless partners about a challenge in prioritization.”

“To address this gap, President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems required Cybersecurity and Infrastructure Security Agency (CISA) to work with industry and interagency partners to develop a set of voluntary cross-sector Cybersecurity Performance Goals (CPGs),” according to Goldstein. “We first introduced the CPGs in December 2022 and updated them this March based on initial stakeholder feedback.” 

Goldstein added that the CPGs were developed for entities of all sizes and across all sectors and were meant to enable rigorous prioritization because being secure shouldn’t mean breaking the budget. “In addition, the CPGs can help organizations evaluate their current cyber posture while guiding them on how to achieve a strong cybersecurity foundation for their organization.”

“We believe that if every organization incorporates fundamental cybersecurity practices that they can materially reduce the risk of intrusions, no matter what sector or what size,” Goldstein said. “As the nation’s Cyber Defense Agency, our goal at CISA is to make it easier for every organization to prioritize the most important cybersecurity practices. We also want to be sure they are clear, easy-to-understand, and when—implemented—lay out tangible steps organizations can take to reduce the risk of cyberattacks and the damage they can wreak.”

He added that organized according to the Cybersecurity Framework, “the CPGs reflect some of the best thinking gleaned from across the cybersecurity community and draw from extensive input from experts across sectors, public and private, domestic and international,” according to Goldstein. “While the full list of goals may seem long, particularly for small organizations, they are quite achievable.”

When it comes to changing default passwords, Goldstein suggests creating and enforcing an organization-wide policy that requires changing default manufacturer’s passwords before putting hardware, software, or firmware on the network, which will help organizations both prevent initial access by threat actors and hinder lateral movement in the event of a compromise. “Many devices, such as smartphones, may prompt new users to set up a new password by default. However, many devices still do not prompt users to take this action, and it should be one of the first steps when deploying any new asset or device. Importantly, no technology product should come with a default password that isn’t reset on first use,” he added.

Addressing the implementation of phishing-resistant MFA, Goldstein said that adding a critical, additional layer of security to protect an organization’s accounts can deny threat actors an initial foothold used to wreak havoc. “CISA recommends using hardware-based tokens, such as FIDO or Public Key Infrastructure, for the greatest resistance to exploitation. App-based soft tokens are a good option as well. While better than having no additional security layer, Short Message Service (SMS) should be an organization’s last resort for implementing multifactor authentication,” he added.

Goldstein recommends separating user and privileged accounts to make it harder for threat actors to gain access or escalate privileges, even if user accounts get compromised, by ensuring no user accounts have administrator-level privileges. “Be sure to frequently re-evaluate privileges on a recurring basis to validate the need for certain permissions. For example, an employee on the marketing team should likely not have access to company human resources data, as it is not necessary for their daily work,” he added.  

When it comes to incident response plans, Goldstein suggests creating, maintaining, and exercising cybersecurity response plans, which can help an organization know what needs to be done to quickly address common threat scenarios and recover more quickly. 

“While large organizations may have complex plans, smaller entities may start with a simple plan outlining immediate steps to take in an emergency (such as contacting a service provider for assistance) and improve on the plan over time,” according to Goldstein. “CISA recommends organizations practice exercising the plan by drilling realistic scenarios at least annually. Again, for large organizations these may be carefully planned tabletop exercises, but for small teams, approaches such as simple rehearsals or spoken walkthroughs can still provide value.”

Last week, the CISA rolled out a cybersecurity advisory warning critical infrastructure organizations about hackers exploiting an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway devices. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.