The US cybersecurity agency CISA has published new guidance to help healthcare and public health organizations understand the cyber threats and risks to their sector and apply mitigations.

Titled Mitigation Guide: Healthcare and Public Health (HPH) Sector (PDF), the document was released as a supplemental companion to a Cyber Risk Summary distributed in July, and comes roughly one month after CISA and HHS announced cybersecurity resources for the HPH sector.

Using data collected from the organizations enrolled in CISA’s vulnerability scanning and web application scanning programs, the new guide incorporates the agency’s Known Exploited Vulnerabilities (KEV) catalog, information from other sources, and the MITRE ATT&CK framework, to contextualize vulnerability trends.

It also recommends mitigations in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), and provides additional guidance and support for HPH organizations.

CISA’s recommendations start with asset management and security, a sensitive issue given the high value of protected health information (PHI) and other types of information that HPH organizations work with, and which represents an attractive target for threat actors.

Next, the guidance covers identity management and device security, providing recommendations on email security, phishing prevention, passwords, access management and monitoring, and data protection practices.

Vulnerabilities, patching, and managing configurations are also covered. Organizations are advised to create asset inventories to identify flaws, to ensure on-time patching of all servers and applications, and to implement security configuration management to identify and address misconfigurations.

The guidance also recommends that secure-by-design principles be adopted by the manufacturers of HPH products: “With internet-facing systems connected to critical health systems and functions, it is crucial that manufacturers of technology products used by HPH entities employ secure by design practices.”

Finally, the document provides vulnerability remediation guidance, to help HPH organizations prioritize the patching of vulnerabilities based on their internal network architecture and risk posture.

CISA draws attention to five vulnerabilities known to be used in attacks, namely CVE-2021-44228 (the infamous Log4Shell bug impacting Apache Log4j2), CVE-2019-11043 and CVE-2012-1823 (RCE flaws in PHP), CVE-2021-34473 (a Microsoft Exchange issue known as ProxyShell), and CVE-2017-12617 (RCE in Apache Tomcat).

“As highlighted within this guide, HPH Sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyber threats. Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability. CISA recommends HPH entities implement this guidance to significantly reduce their cybersecurity risk,” CISA concludes.

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Related: US Government Releases Anti-Phishing Guidance

https://www.securityweek.com/cisa-releases-cybersecurity-guidance-for-healthcare-public-health-organizations/

Some K-12 public schools are racing to improve protection against the threat of online attacks, but lax cybersecurity means thousands of others are vulnerable to ransomware gangs that can steal confidential data and disrupt operations.

Since a White House conference in August on ransomware threats, dozens of school districts have signed up for free cybersecurity services, and federal officials have hosted exercises with schools to help them learn how to better secure their networks, said Anne Neuberger, the Biden’s administration’s deputy national security advisor for cyber and emerging technology.

Neuberger said more districts need to take advantage of programs available that would better guard against online attackers who are increasingly targeting schools. Their aim is to lock up computer systems, and in some cases, steal and publish sensitive personal information if a ransom is not paid.

“Compromises happens again and again, often in the same way, and there are defenses to protect against it. And here the government has really brought companies together, brought agencies together to deploy some of those,” Neuberger said in an interview. “Don’t give up. Reach out and sign up. And your kids will be a lot safer online.”

The administration announced steps over the summer to help cash-strapped schools, which have been slow to build up cybersecurity defenses. Ransomware attackers, many of whom are based in Russia, have not only forced schools to temporarily close but have exposed a wealth of students’ private information.

Last month, parents sued the Clark County School District in Nevada, alleging a ransomware attack led to the release of highly sensitive information about teachers, students and their families in the country’s fifth largest school district. In another high-profile case this year, hackers broke into the Minneapolis Public Schools system and dumped sexual assault case records and other sensitive files online after the district refused to pay a $1 million ransom.

More than 9,000 small public school districts across the United States with up to 2,500 students — that’s roughly 70 percent of public districts in the country — are now eligible for free cybersecurity services from web security company Cloudflare through a new program called Project Cybersafe Schools, Neuberger said. Since August, roughly 140 districts in 32 states have signed up for the program, which provides free email security and other online threat protection, she said.

James Hatz, technology coordinator for Rush City Public Schools in Minnesota, said the program arrived just in time for their district, quickly stopping 100 suspicious emails from getting to staff. Hatz said cybercriminals often try to get teachers to click on malicious links by pretending to be an administrator sharing documents about things such as pay raises.

“We are not going to be bulletproof, but the more we can do to make it harder, the better between user training, this program and everything else,” Hatz said.

Neuberger also said a $20 million grant program from Amazon Web Services that is designed to help schools improve their cybersecurity has received about 130 applications.

The Federal Communications Commission has also proposed a pilot program that would make up to $200 million available over three years to strengthen cyber defense in schools and libraries. Neuberger said the hope is that money will be available to schools in the “near future.”

But Doug Levin, director of the K12 Security Information eXchange, a Virginia-based nonprofit that helps schools defend against cybersecurity risk, said he fears attacks against schools are going to continue to grow both in frequency and severity without more federal support and requirements that schools have baseline cybersecurity controls.

“Most have underfunded their IT functions. They do not have cybersecurity experts on staff. And they’re increasingly being viewed as as a soft target by cyber criminals,” Levin said. “So, ultimately I think the federal government is going to need to do more.”

Related: Ransomware Criminals Are Dumping Kids’ Private Files Online After School Hacks

Related: Ransomware Leads to Nantucket Public Schools Shutdown

https://www.securityweek.com/k-12-schools-improve-protection-against-online-attacks-but-many-are-vulnerable-to-ransomware-gangs/

In response to a spate of embarrassing hacks, Redmond pushes ‘Secure Future Initiative’ promising faster cloud patches, better management of identity signing keys and products with a higher default security bar.

The post After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’ appeared first on SecurityWeek.

https://www.securityweek.com/after-major-cloud-hacks-microsoft-unveils-secure-future-initiative/

Cyberthreats are growing in their pervasiveness, stealth, and severity, and the potential consequences of a breach are more severe than ever before. With increasing skepticism and wariness among security teams, it makes sense to embrace the “never trust, always verify” principle, also known as Zero Trust Network Access (ZTNA). ZTNA aims to authenticate and authorize every user and device, no matter where they are, before granting access to the apps and assets they need.

When authenticated users get access only to the resources they absolutely need for their jobs, the risk of data theft and exfiltration automatically goes down. But it doesn’t subside completely. Recent data indicates that despite 94% of organizations feeling confident about their understanding of ZTNA, 68% still experienced a cyberattack last year, according to a 2023 Hybrid Security Trends Report (PDF) from Netwrix..

Why ZTNA Fails

One of the main reasons why ZTNA fails is that most ZTNA implementations tend to focus entirely on securing remote access. The belief that users inside the office perimeter can be intrinsically trusted outright violates ZTNA’s “never trust” approach. It overlooks the threats posed by disgruntled employees and IT staffers that are inside the secure office premises, with authentic credentials but malicious intent. Moreover, even well-meaning employees are prone to making errors in judgment and everyday operations.

Another problem with the remote-only approach to ZTNA is that admins can no longer construct a single application access policy for on- and off-site users. This alone can create loopholes and affect the operational efficiency of organizations. However, extending ZTNA to internal users also has its challenges:

• Network Infrastructure: To implement ZTNA within the office, organizations need to ensure that their network infrastructure supports the necessary technologies and protocols. The traditional approach to ZTNA may involve deploying SDP (software-defined perimeter), VPNs (virtual private networks), or secure access gateways that can enforce the ZTNA principles within the local network.
• Network Segmentation: ZTNA relies on the segmentation of networks and resources to limit access based on user identity and device posture. Admins may have to reconfigure their internal network architecture to implement proper network segmentation and access controls.
• Legacy Devices and Applications: Agent-based ZTNA is sometimes incompatible with certain devices already being used within the organization. Legacy systems and applications hosted on internal data centers may also not integrate seamlessly with ZTNA.

Despite these challenges, extending ZTNA capabilities to users within the office is crucial for providing secure access and improving the overall security posture.

RBAC+ can Extend ZTNA to Users and IT Admins Inside the Office

RBAC+ extends the capabilities of RBAC (Role Based Access Control) which associates access policies with roles and assigns users to specific roles. RBAC+ goes a step further to incorporate user attributes, environmental factors, and just-in-time situational awareness to implement more dynamic, context-aware, and fine-grained access control policies.

RBAC+ allows organizations to map job roles to access policies within the ZTNA framework. This ensures that whether a user is in the office or outside, access to IT resources will be determined by the same ZTNA policy and user identity. In addition to the user identity, environmental and contextual factors, such as the device posture, user location, and time of the day, also guide ZTNA access control to detect anomalies and prevent abuse of privilege in real-time.

Modern organizations are now attempting to break silos and adopt cross-functional teams with approaches such as DevOps and SASE (Secure Access Service Edge), which integrates networking and security behind a single management console for better visibility, network performance, and security coverage. With RBAC+, organizations can define and manage today’s dynamic and overlapping job roles, globally or by location. They can customize roles and define extremely granular access policies for individual capabilities across networking and security frameworks.

Continuous Monitoring and Advanced DNS Protections Enhance ZTNA

At the heart of ZTNA is the ability to continually inspect traffic flows once users are granted access. Successful ZTNA implementations leverage AI and ML algorithms to identify suspicious activities based on historical data and available threat intelligence. This ensures that any suspicious access attempts or deviations from normal behavior by authenticated and authorized users can be detected and mitigated right away, reducing the risk of successful insider attacks.

Advanced DNS protections also play a crucial role in fortifying ZTNA, because cybercriminals often seek to redirect or manipulate DNS requests to mine credentials or exfiltrate data. Organizations can use advanced DNS protections, such as DNS filtering, DNSSEC (DNS Security Extensions), and DNS monitoring and analysis, to detect malicious DNS activities and identify and block domains used for phishing and other forms of cyberattacks. By preventing insiders’ access to malicious domains, organizations can enhance the overall effectiveness of ZTNA and mitigate risks to in-house IT resources.

Strengthen Access Control with Comprehensive ZTNA Capabilities

Threat actors are known to exploit weaknesses in access control and authorization. They are always on the hunt for privileged account credentials, and the dark web provides an easy-access platform for purchasing them. That is why access control must go beyond credentials and MFA (multi-factor authentication). While ZTNA is a key strategy for implementing continuous verification and stringent access controls, it must be complemented with additional components for comprehensive security. As a starting point, comprehensive ZTNA must extend zero-trust access to in-office and remote users consistently and seamlessly. It should also be fortified with continuous monitoring and advanced DNS protections for insider threats and attacks that bypass authentication and authorization mechanisms.

Related: Universal ZTNA is Fundamental to Your Zero Trust Strategy

Related: The History and Evolution of Zero Trust

https://www.securityweek.com/extending-ztna-to-protect-against-insider-threats/

The US cybersecurity agency CISA and the Department of Health and Human Services (HHS) on Wednesday released cybersecurity resources for healthcare and public health (HPH) organizations.

These entities heavily rely on digital technologies to store personal and medical information, perform medical procedures, and communicate with patients, which increases their attack surface, but often face challenges in finding the necessary resources to invest in cybersecurity.

The newly released cybersecurity healthcare toolkit is meant to help organizations at every level build their cybersecurity foundation and implement more advanced tools to improve their defenses.

The toolkit details cyber hygiene steps that both organizations and individuals should take, provides an overview of the threat landscape, documents cybersecurity best practices, and provides a cybersecurity framework implementation guide.

Furthermore, it provides organizations with risk assessment tools and information on recommended tools, such as vulnerability scanning services and CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The toolkit also recommends resources to help organizations strengthen their security stance, prevent ransomware attacks, access free cybersecurity services and tools, and implement incident response plans.

For organizations constrained by resources, the toolkit recommends accessing the State and Local Cybersecurity Grant Program (SLCGP), and free and low-cost services for near-term improvements, and details what organizations in the health sector should expect from technology providers.

“Because cybersecurity is one of many areas where the healthcare and public health sector is facing persistent challenges, CISA and HHS are providing this toolkit filled with remedies to give sector stakeholders a greater ability to proactively assess vulnerabilities and implement solutions,” CISA and HHS note.

The toolkit was released on the same day that CISA and HHS co-hosted a roundtable discussion on the cybersecurity challenges the health sector faces and on how collaboration between the government and the industry can help reduce risks.

“Adversaries see healthcare and public health organizations as high value yet relatively easy targets – or what we call target rich, cyber poor.  Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary,” CISA deputy director Nitin Natarajan said.

Related: Healthcare Organizations Hit by Cyberattacks Last Year Reported Big Impact, Costs

Related: Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data

Related: Personal Information of 11 Million Patients Stolen in Data Breach at HCA Healthcare

https://www.securityweek.com/cisa-hhs-release-cybersecurity-healthcare-toolkit/

San Diego-based MemComputing is researching the use of in-memory processing ASICs (Application Specific Integrated Circuits) to potentially crack 2048 bit RSA in real time.

MemComputing is a company and computing philosophy born out of theory. The theory is that if processing and data can be combined in memory, the so-called ‘von Neumann bottleneck’ can be broken. This bottleneck is latency introduced by having storage and processing separate, and the consequent necessity of communicating between the two.

As the computational complexity increases, the processing time required by classical computers also increases – but exponentially. The result of the bottleneck is that a category of complex mathematical problems cannot be solved by classical (basic von Neumann architecture) in any meaningful time frame.

“Among intractable combinatorial problems, large-scale prime factorization is a well-known challenge,” MemComputing researchers wrote in a paper titled Scaling up prime factorization with self-organizing gates: A memcomputing approach (PDF). It is the intractability of this problem that has kept RSA-based encryption theoretically secure for so long. It’s not that it is mathematically impossible, merely that it would take too long to be realistic using classical computers.

Where theory cannot be demonstrated by fact, the problem and solution are emulated in software. For cracking RSA, “Presently, sieve methods represent the state-of-the-art algorithms showing promise, with the general number field sieve method being the most effective. Nevertheless, even these methods struggle to factor a 2048-bit RSA key within a sensible timeframe, and past instances have taken almost 2700-CPU-years to factor an 829-bit number using computer clusters.”

The von Neumann bottleneck means that time-to-solution increases exponentially. “It is estimated that with current technology using the best-known algorithm (general number field sieve, GNFS), factoring a 2048-bit RSA key would take longer than the age of the universe,” the researchers added.

Quantum computers will be able to solve this problem within a meaningful timeframe. Hence the NIST-driven drive for more complex post-quantum algorithms able to continue protecting encryption. Estimates of the arrival of quantum computers vary greatly, but ‘decades’ is usually quoted.

Enter MemComputing’s combined memory/processing. Simulation shows that the complexity/time ratio for solving difficult problems increases only polynomially rather than exponentially. In other words, difficult problems can be solved very much faster — and the time taken to do so can be massively reduced.

MemComputing effectively wanted to know how long it would take its patented in-memory processing to crack RSA, and whether it could be done in a shorter timeframe than waiting for the arrival of quantum computers. The basic study resulted from a Small Business Innovation Research (SBIR) contract with the US Air Force.

The approach taken was to use software emulation focusing on test problems from 30 to 150 bits. “Results showed that the circuit generated the appropriate congruences for benchmark problems up to 300 bits, and the time needed to factorize followed a 2nd-degree polynomial in the number of bits,” MemComputing announced. In other words, the increasing complexity of factoring large numbers with in-memory computing increases the necessary time far more slowly than the exponential increase afforded by classical computers.

“The next step is to extend the effective range beyond 300 bits, which requires customizing the SOG design to even larger factorization problems, with the end goal of realizing the capability in an Application Specific Integrated Circuit (ASIC),” continued the company.

An ASIC is a custom chip. They are already widely used for different applications. They take longer and are more costly to produce than general purpose classical computer chips, but neither are in the same league as developing and waiting for a quantum computer.

Specifically, the researchers said, “The timing for the ASIC realization of the MEMCPU Platform is also reported. The ASIC timing can be easily estimated since the MEMCPU Platform, being a circuit emulator, returns the full dynamics of the circuit, including the simulated runtime. It is worth noting that, at this point in our R&D, the forecast for the ASIC shows the possibility of solving a 2048-bit factorization problem in tens of minutes.”

This conclusion is, of course, theory rather than demonstrable fact. The theory, however, is based on a body of fact, and theoretical research underlies much of today’s demonstrable science. If it all proves practical, the feared ‘cryptopocalypse’ (the death of current encryption) might be sooner than expected – caused by in-memory computing ASICs rather than quantum computers.

Related: How Quantum Computing Will Impact Cybersecurity

Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

Related: Quantum Decryption Brought Closer by Topological Qubits

Related:US Government Publishes Guidance on Migrating to Post-Quantum Cryptography

https://www.securityweek.com/beyond-quantum-memcomputing-asics-could-shatter-2048-bit-rsa-encryption/

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

Here are this week’s stories:  

Ex-Uber security chief appeals data breach cover-up conviction

Former Uber security chief Joe Sullivan has filed an appeal after he was sentenced to probation and community service earlier this year for covering up the data breach suffered by the ride-sharing giant in 2016. His legal team described the verdict as ‘profoundly flawed’.

$12,000 bounty offered for NIST elliptic curve seeds

A bounty of more than $12,000 — the amount is tripled if donated to charity — has been offered to anyone who can find the seeds for the NIST elliptic curves that power much of modern cryptography. It’s believed that the seeds were generated by hashing sentences written in English, but the person who picked them has passed away.

Intellexa Alliance’s surveillance products

Amnesty International and the European Investigative Collaborations (EIC) media network have conducted a detailed analysis of the surveillance products offered by NSO Group competitor Intellexa, which is known for its Predator spyware. The investigation reveals “a catastrophic failure to regulate surveillance trade”, the organizations said. 

$7 billion in cryptocurrency laundered via cross-chain services

A record $7 billion in cryptocurrency has been laundered through cross-chain services, much of it by North Korea’s notorious Lazarus cyber group, according to Elliptic. Cross-chain activities involve quickly swapping crypto-assets between different tokens or blockchains in an effort to obfuscate their origin. 

Vast majority of African financial apps expose secrets

Mobile security firm Approov has conducted a study of 224 financial Android applications used across Africa and found that 95% of them expose secrets that could allow malicious actors to obtain personal and financial data. The analysis found that 33% of cryptocurrency apps expose highly sensitive secrets, and 15% of the studied apps expose authentication tokens. 

Honeywell launches new OT security solution for enterprises

Honeywell has announced the launch of Cyber Watch, a breakthrough enterprise solution designed to help organizations protect operational technology (OT). The solution provides visibility into risks and vulnerabilities at the site level and the enterprise level. 

Microsoft expands Security Experts offerings

Microsoft has expanded its Security Experts offering. The tech giant announced the general availability of Microsoft Defender Experts for XDR, Defender Experts for Hunting, and Incident Response Retainer. It also announced the restructuring of Microsoft Security Enterprise Services, formerly known as Microsoft Security Services for Modernization. 

Google announces passwordless by default and other security updates

Google has made an announcement related to its passwordless initiative: passkeys are being made even more accessible by offering them as the default option across personal Google Accounts. In addition, the company announced the use of AI-powered defenses to make email safer, and the use of the Tensor G3 chip to improve the security of Pixel devices. 

IBM unveils AI-powered managed detection and response services

IBM has announced new managed detection and response service offerings powered by AI technologies. The new Threat Detection and Response Services (TDR) provide 24×7 monitoring, investigation, and automated remediation of security alerts from existing security tools and other resources. 

New LostTrust ransomware

SentinelOne has detailed a new ransomware operation named LostTrust, which emerged in September. LostTrust has been linked to SFile, Mindware and MetaEncryptor.

Related: In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea

Related: In Other News: Funding Increase, Abuse of Smartphone Location Data, Legal Matters

https://www.securityweek.com/in-other-news-ex-uber-security-chief-appeal-new-offerings-from-tech-giants-crypto-bounty/

The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance on how federal agencies can integrate identity and access management (IDAM) capabilities into their identity, credential, and access management (ICAM) architectures.

The new document (PDF) was released as part of CISA’s Continuous Diagnostics and Mitigation (CDM) program, which provides information security continuous monitoring (ISCM) capabilities to help federal agencies improve the security of their networks.

“There is no singular, authoritative, recognized way to architect an ICAM capability across an enterprise, which results in many U.S. government agencies approaching this from different directions with different priorities. Compounding this issue, agency Identity Management maturities vary, especially those related to tool expertise and ICAM-related policies, which may complicate the ongoing CDM integration efforts and lead to incomplete or ineffective ICAM deployments,” CISA notes.

To address this issue, CISA’s new guidance clarifies the CDM program’s IDAM scope, CDM IDAM capabilities, and federal agencies’ ICAM practice areas, and provides a CDM ICAM reference architecture that can be used to deploy a robust and effective ICAM capability with CDM functionality, the agency explains.

CDM IDAM capabilities, CISA notes, include sub-capabilities for privileged access management (PAM), identity lifecycle management (ILM), and mobile identity management (MIM). Non-person entities (NPE) and other non-PKI authenticators are also included, under manage credentials and authentication (CRED).

PAM focuses on the management of privileged human and non-person entities and includes tools for ensuring strong authentication, ILM focuses on the lifecycle management of user identity and associated privileges, while MIM focuses on securing the use of mobile devices.

The CDM ICAM reference architecture, which also includes federation services (this includes additional service endpoints, the identity provider, and the service provider), is also meant to help agencies enable Zero Trust Architecture (ZTA).

The new guidance also details a notional CDM ICAM physical architecture, provides an overview of challenges that CDM ICAM faces, describes how ICAM use cases are implemented in ICAM services and components, and provides a series of recommendations for federal agencies to advance the development of the Identity Pillar of a ZTA.

Federal agencies are encouraged to review CISA’s new guidance and use it for implementing ICAM capabilities.

Related: CISA Releases Open Source Software Security Roadmap

Related: CISA Releases Guidance on Adopting DDoS Mitigations

Related: MITRE and CISA Release Open Source Tool for OT Attack Emulation

https://www.securityweek.com/cisa-releases-new-identity-and-access-management-guidance/

The U.S. government’s cybersecurity agency CISA on Monday confirmed the addition of Peiter ‘Mudge’ Zatko to its roster of prominent voices preaching the gospel of security-by-design and secure-by-default development principles.

Zatko, most recently the CISO at Twitter who blew the whistle on the social media giant’s security shortcomings, is joining the agency in a part-time capacity to work on the “security and resilience by design” pillar of the Biden administration’s National Cybersecurity Strategy.

A statement from CISA boss Jen Easterly confirmed Mudge’s addition as Senior Technical Advisor to work on shaping a culture of security-by-design everywhere.

“Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country,” Easterly said. Zatko’s hiring was first reported by the Washington Post.

Zatko is a famous hacker from the L0pht/cDc collectives who is credited for some of the earliest research work around buffer overflow vulnerabilities.  He previously served as a DARPA program manager and created the Cyber Fast Track program that provided resources to hackers and hacker spaces.

Zatko served as Twitter’s security boss for two years before filing a whistleblower complaint to Congress describing “extreme, egregious deficiencies” in Twitter’s handling of user information and multiple violations of SEC and FTC regulations.

In addition to Zatko, CISA recently hired former Yahoo CISO Bob Lord and researcher Jack Cable to evangelize the security-by-design pillar of the National Cybersecurity Strategy and CISA’s own Strategic Plan.

The CISA security-by-design plan calls for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes. 

“Secure-by-design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure,” according to the CISA document. “Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.”

In addition, CISA is pushing a “Secure-by-Default” principle that ensures that products are resilient against prevalent exploitation techniques out of the box without additional charge. 

“These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls,” the agency said.

Related: CISA Pushes Secure-by-design, Secure-by-default Principles

Related: Whistleblower: China, India Had Agents Working for Twitter

Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Related: ‘Mudge’ Named Head of Security at Twitter

https://www.securityweek.com/cisa-hires-mudge/

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have published new guidance to encourage organizations to begin early planning for post-quantum cryptography migration.

Titled Quantum-Readiness: Migration to Post-Quantum Cryptography (PDF), the document details the impact of quantum capabilities and urges organizations – especially those in critical infrastructure – to create quantum-readiness roadmaps, conduct inventories, assess risks, and start engaging with vendors.

Following a White House memo and a CISA alert on quantum computing risks, the new guidance comes in anticipation of NIST’s post-quantum cryptographic (PQC) standards, expected to be released in 2024.

“Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation,” the guidance reads.

According to the document, existing cryptographic products, protocols, and services, which rely on public key algorithms, will likely be updated or replaced to become quantum-resistant and protect against future threats.

CISA, NSA, and NIST encourage organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to implement measures to reduce the risks posed by a ‘cryptanalytically-relevant quantum computer’ (CRQC).

“While the PQC standards are currently in development, the authoring agencies encourage organizations to create a quantum-readiness roadmap by first establishing a project management team to plan and scope the organization’s migration to PQC,” the document reads.

Quantum-readiness project teams, the guidance notes, should assess an organization’s reliance on quantum-vulnerable cryptography, such as those performing operations related to digital signatures, including software and firmware updates, and then begin the quantum risk assessment processes and vendor engagement.

“Organizations are often unaware of the breadth of application and functional dependencies on public-key cryptography that exist within the products, applications, and services widely deployed within their operational environments, leading to a lack of visibility. The project team should lead the creation of such an inventory,” CISA, NSA, and NIST note.

The three agencies encourage manufacturers and vendors of products that use quantum-vulnerable cryptography to review the NIST-published draft PQC standards and prepare themselves to support PQC as soon as the standards are finalized.

Related: IBM Delivers Roadmap for Transition to Quantum-safe Cryptography

Related: News Analysis: UK Commits $3 Billion to Support National Quantum Strategy

Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

https://www.securityweek.com/us-government-publishes-guidance-on-migrating-to-post-quantum-cryptography/