CISA directives are more than just compliance exercises
COMMENTARY: Why the binding operational directive on remote management should be a wake-up call for federal agencies.
We talk all the time about the hyper-connected state of the internet – how it’s all so everything, everywhere, all at once. A recent directive from the Cybersecurity and Infrastructure Security Agency underscores the seemingly infinite nature of all of this connectivity – and how fragile we are as a result.
After the discovery of an SQL injection vulnerability in the MOVEit file-transfer tool that led to cyber breaches of agencies, CISA released Binding Operational Directive 23-02, requiring security teams to enhance protections for devices that support underlying network infrastructure for remote management over the public internet.
On the surface, the June BOD appears like yet another “compliance thing.” But agencies should apply a bigger picture perspective here instead of a typical “check the boxes” response. They need to know that ubiquitous connectivity comes at a cost – an uncomfortable truth that the exploitation of a single vulnerability could very well take everything down.
The BOD serves as a wake-up call, indeed, with two immediate takeaways which government leaders should bear in mind as they proceed with compliance.
We need to take a hard look within to get better – regardless of what regulations are coming down.
If you conduct 50 attack surface profiles for 50 different government agencies, you’ll identify literally thousands of exposures. I personally know this for a fact because I’ve seen the profiles. What’s worse, the bad guys – the cyber criminal gangs and nation state-aligned adversaries who are more than willing and able to take down critical infrastructure and endanger human lives – are easily finding these exposures through open-source searching tools and dark web bazaars that buy and sell exploits like everyday commodities.
Government leaders must prioritize action. They cannot sit passively and wait for CISA regulations or current administration executive orders to tell them what to do. They have to face the problems that exist – now. They have to take a proactive position and enforce accountability at all levels – now. The stakes are too high to consider any other approach.
It all starts with visibility.
The time-honored adage, “You can’t protect what you don’t know,” rings true here. More than ever, we need to place ourselves inside our attackers’ POV, to acquire an outside-in view of every asset and exposure 24/7/365. Without total awareness, we can only expect that the worst-case scenario will eventually come.
To avoid that, the continuous discovering, inventorying and monitoring of an organization’s IT infrastructure proves critical. The resulting awareness is known as attack surface management (ASM), enabling near-real time contextualized visibility for security architects to understand activity and share insights with teams. This leads to proactive policies and practices focused on protecting everything out there, wherever it exists.
We can patch security holes. We can implement network segmentation. We can enforce zero trust. But we cannot aspire to a state of absolute protection if we do not look closely within, and then proactively respond to what we see. In an age in which federal agencies serve as key contributors to a world where everything is connected in perpetuity, this is the only sure path forward.
Brad Brooks is chief executive officer, Censys
NEXT STORY: To steal today’s computerized cars, thieves go high-tech