The Biden Administration’s planned order is rolling on, as The Wall Street Journal reports. This seeks to mandate that nearly all federal agencies patch hundreds of cybersecurity vulnerabilities that are considered major risks for damaging intrusions into government computer systems.
The BOD 22-01 directive from the Cybersecurity and Infrastructure Security Agency (CISA) covers around 200 known threats that cybersecurity experts discovered between 2017 and 2020, as The Verge assesses.
For improved protection of business systems, the U.S. government is recommending:
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
According to threat intelligence expert Jim Gogolinski (Vice President of Research and Intelligence at iboss) the development is to be supported. Gogolinski ‘s cybersecurity exploits have featured in Vanity Fair.
Gogolinski tells Digital Journal: “This shows that the U.S. Government is taking cyber security seriously. Not only is the mandate tightening down the requirements for the level of patches that must be applied, but it is also substantially shrinking the window in which the government and their related supply chain organizations have to apply these patches.”
A security patch refers to a change applied to software to correct a vulnerability. It is assumed that the corrective action will prevent successful exploitation and remove or mitigate a threat’s capability to exploit a specific vulnerability.
However, the arrangements are not a complete solution, as Gogolinski observes: “What’s left to be seen though is whether agency teams and their vendors are prepared to actually make all these patches within the required window.”
Through such actions, Gogolinski is hopeful that it “May force non-compliance or require a change in software or procedures to bring the organization back into compliance, which could be a lengthy and expensive process.”