In a new initiative called Secure by Design Alert series, the Cybersecurity and Infrastructure Security Agency (CISA) will highlight cases where software vendors could have prevented security breaches by applying secure design principles.
CISA understands that software development and security are complex and involve trade-offs, and does not intend to blame vendors for their choices. Instead, the series will focus on the real-world consequences of what CISA calls "anti-security" decisions, and how they could have been avoided. Instead of focusing on victim actions, this series directs attention to how vendor choices impact “harm reduction” on a worldwide scale. This focus encourages a more proactive exploration of security practices.
Web Management Interfaces
CISA warns that web management interfaces are a common target for cyber attackers who exploit vulnerabilities. CISA points out that some of the vulnerabilities affecting web management interfaces are listed in its KEV Catalog:
Cisco IOS XE Zero-Day, Privilege Escalation Vulnerability (CVE-2023-20198)
Zyxel EMG2926 Command Injection Vulnerability (CVE-2017-6884)
Ivanti Sentry (MobileIron) Zero-Day, Authentication Bypass Vulnerability (CVE-2023-38035)
D-Link DIR-859 OS Command Injection Vulnerability (CVE-2019-17621)
CISA says that software manufacturers should not blame customers for not securing their products properly. Instead, they should follow the principle of “Secure by Design” and build their products with security in mind. This way, they can help customers protect themselves from cyber threats.
Key Principles of Secure By Design
With the Secure By Design series, CISA directs attention to the threat of malicious activity against web management interfaces in two ways.
1. How to Make Your Software More Secure by Design
Security is not something that you can add to your software after it is built. It has to be designed from the start, with the best practices and standards in mind. That's why CISA, the Cybersecurity and Infrastructure Security Agency, has published a set of core principles for Secure by Design software development.
One of these principles is to take ownership of your customers' security outcomes. This means that you should not leave security decisions to your customers, but rather make them for them, based on your expertise and knowledge. You should also test your products in different scenarios and environments, to make sure they work securely in the real world.
Some of the ways you can take ownership of your customers' security outcomes are:
Disable the web interface by default, and provide a guide on how to enable it safely if needed.
Avoid exposing your product to the public internet, and warn your customers if they do so.
Enforce strong authentication on all critical interfaces, such as admin portals.
Embed best practices and standards into your product's default settings.
By following these guidelines, you can make your software more secure by design, and help your customers achieve better security outcomes.
2. Radical Transparency and Accountability.
Software makers should be honest about their product flaws to improve cybersecurity. They should track the root causes of vulnerabilities and fill in the CWE field in CVE entries to show the coding errors. This helps customers understand and manage risks and also helps the industry learn from mistakes.
Software makers should also avoid repeating the same vulnerabilities in their products. Making secure products is hard and takes time. However, by finding and fixing the common problems in software design and configuration, we can focus on the areas that need more work.
What Next?
If you are responsible for managing the security of your organization's data and systems, you may feel overwhelmed by the complexity and uncertainty of the cyber threat landscape. How do you know what are the best practices and standards to follow? How do you measure and improve your security posture? How do you demonstrate compliance and trust to your customers and stakeholders?
One way to answer these questions is to leverage the government-provided information that is available to help you guide your security program management. For example, the National Institute of Standards and Technology (NIST) publishes the Cybersecurity Framework, a voluntary set of guidelines, best practices, and standards that can help you identify, protect, detect, respond, and recover from cyberattacks. The NIST Framework is widely adopted by organizations of all sizes and sectors, and can help you align your security objectives with your business goals.
Another way is to take advantage of resources from the Cybersecurity and Infrastructure Security Agency (CISA), as the nation's risk advisor and provides timely and actionable information on current and emerging threats, vulnerabilities, and incidents. CISA also offers free services and resources to help you assess and improve your security posture, such as vulnerability scanning, phishing testing, incident response, and cyber hygiene.
However, even with these valuable sources of information, you may still face challenges in implementing and maintaining an effective security program. You may lack the time, resources, or expertise to keep up with the evolving threats and regulations. You may need external validation or certification to demonstrate your compliance and maturity. You may need guidance on how to prioritize your security investments and optimize your security operations.
This is where a consulting CISO from Webcheck Security can help. A consulting CISO is a seasoned security professional who can provide you with strategic and tactical advice on how to manage your security program. A consulting CISO can help you:
Assess your current security posture and identify gaps and risks
Develop a security roadmap and action plan based on industry best practices and standards
Implement security controls and processes to protect your data and systems
Monitor and measure your security performance and effectiveness
Respond to security incidents and breaches
Communicate and report on your security status to your leadership, customers, and regulators
A consulting CISO from Webcheck Security can also help you leverage the government-provided information to guide your security program management. A consulting CISO can help you:
Understand the NIST Framework and how it applies to your organization
Adopt the NIST Framework core functions, categories, subcategories, and implementation tiers
Align your security program with the NIST Framework profiles
Use the CISA services and resources to enhance your security capabilities
Stay informed of the latest cyber threats, vulnerabilities, and incidents from CISA
By working with a consulting CISO from Webcheck Security, you can benefit from their experience, knowledge, and skills in managing security programs for various organizations. You can also save time, money, and resources by outsourcing some or all of your security functions to a trusted partner. You can also gain confidence and peace of mind that your security program is aligned with industry best practices and standards.
If you are interested in learning more about how a consulting CISO from Webcheck Security can help you take advantage of government-provided information to guide your security program management, contact us today for a free consultation. We are ready to assist you with any of your security needs.
Comments