A Look at the Cybersecurity Red Alert from the White House

On Monday, the White House announced a red alert regarding cybersecurity. You can read the full statement by President Biden on our Nation’s Cybersecurity, but at a high level, it covers:

• The economic sanctions that the US and allies imposed on Russia increased the probability of Russia and its allies’ retaliation in the form of cyber attacks.

• US intelligence analysts observed activity that supports this hypothesis.

• The White House strengthened the cybersecurity of critical infrastructure organizations under their authority and established more partnerships with private sector organizations that also support critical infrastructure.

“What does that mean for me though?

The problem is, as the White House put it, that "[m]ost of America's critical infrastructure is owned and operated by the private sector." That is, most of our critical infrastructure is not under federal government authority and not subject to its strict security controls. These private sector businesses include shopping centers, hospitals, banks, farms, factories, oil and gas, and mass transit, but also big IT services like internet providers (e.g. Verizon), DNS resolvers (e.g. Cloudflare), authentication platforms (e.g. Okta), and cloud hosting providers (e.g. Amazon).

So, private business owners and operators "must accelerate efforts to lock their digital doors" in order to "prevent or mitigate attacks."

Resources provided include a Shields Up status page and cyber defense hardening fact sheet.

“What did DHS say we should do?”

In the short term:

• Require multi-factor authentication (MFA) on all accounts

• Require endpoint monitoring for all endpoint devices (e.g. laptops, phones, servers)

• Find a trusted cybersecurity partner to help you identify your risks

• Perform vulnerability scanning to see where you’re vulnerable

• Change passwords for critical accounts, if not all accounts

• Back-up data offline - as in completely separate devices

• Practice drills for emergency response activities

• Encrypt your data at rest and in transit in case it is stolen

• Train users in recognizing phishing and system compromise

• Engage with FBI and CISA early as an organization so if something goes wrong they can provide assistance

In the long term:

• Include security professionals in software planning and development, not only in subsequent phases

• Develop software in secure environments

• Scan source code and systems for vulnerabilities and address them

• Validate code library, package, or component provenance, particularly from open source products

• Implement security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity

In short, consider what you can act on from the Fact Sheet and keep apprised of the situation by keeping an eye on Shields Up.

“Got it. What do cybersecurity pros like Hive Systems suggest?”

• Run tabletop exercises of your incident response plans early (like now). These are generally scripted walkthroughs where you pretend that a breach, virus, or internet outage occurs and have the opportunity to identify gaps in your plan to respond so that the organization can maintain operations.

• Warm up your incident responders. Have a meeting with the people you’d contact if disaster strikes. Ask how you’ll connect if the internet and cellular connections get disrupted, if transit stops, if the office becomes a danger zone, and so on.

• Increase the sensitivity of your cybersecurity monitoring systems and bolster the resources monitoring them to handle the increased false-positive results, even if temporary. Schedule a “sensitivity reassessment” date to re-assess if turning the sensitivity back down is acceptable.

• Refresh your IT asset inventory and account for all the technology (and accounts) you use to run your organization.

• Segment internet-of-things (IoT) devices (e.g. cameras, smart thermostats, Alexa) from your full-fledged computers. They are footholds into your network that the device makers don’t keep up to date very well.

• Back up your systems earlier than planned. Keep a copy off the network (assume a virus could spread to them) even if temporary via a timed window for backups to occur.

“Ok, but what if we need help?”

As the White House Fact Sheet says, engage cybersecurity professionals like Hive Systems! And engage with your local FBI and CISA offices.

“How do I prioritize this among everything else? These headlines seem to come up all the time…”

I know, right? We help clients prevent headline, directive, alert “whiplash” by establishing a risk-based cybersecurity roadmap. Once established, when you see headlines like this, you can simply ask yourself: which of these cybersecurity projects should we deprioritize based on this new threat in order to prioritize a new one? If your strategic roadmap is in good shape, you probably won’t have to reprioritize at all, which saves the business and IT department a lot of headaches. We’ll help you establish a directive processing workflow so that you make quality decisions, and have your reasoning journaled in a way auditors understand and will be happy to see.

Ready for your free one hour strategy discussion?

Follow us - stay ahead.

Read more of the ACT