CISA MS-ISAC Ransomware Guide Updated for 2023

Ransomware is the leading information security threat that has emerged in recent years, and it’s only getting worse! In the first six months of this year, 1,393 organizations have issued data breach notifications. If this keeps up, and there’s no reason to think it won’t, 2023 will beat the record set in 2021 of 1,862 data breaches reported. Ransomware is a big part of this sad total.

Back in 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released their first Ransomware Guide to try to help organizations respond effectively to this threat. In the last three years, however, ransomware has evolved greatly. Because of this, they have released an updated ransomware guide now titled #StopRansomware Guide. This guide was developed through the U.S. Joint Ransomware Task Force (JRTF) which is co-chaired by the CISA and FBI. The new title was instituted to incorporate the #StopRansomware effort into the title. (#StopRansomware is a one-stop hub for ransomware resources for individuals, businesses and other organizations. The new #StopRansomware.gov website is a collaborative effort across the federal government and is the first joint website created to help private and public organizations mitigate their ransomware risk. It contains all the latest ransomware information and advisories produced by federal authorities).

The #StopRansomware Guide has two parts: part 1 concerns ransomware and data extortion prevention best practices, and part 2 is a ransomware and data extortion response checklist. The two parts represent current best practices and recommendations based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the FBI (these are known as the authoring organizations). The changes made from the old guide to this current version include:

  • Added FBI and NSA as co-authors based on their contributions and operational insight.
  • Incorporated the #StopRansomware effort into the title.
  • Added recommendations for preventing common initial infection vectors, including compromised credentials and advanced forms of social engineering.
  • Updated recommendations to address cloud backups and zero trust architecture (ZTA).
  • Expanded the ransomware response checklist with threat hunting tips for detection and analysis.
  • Mapped recommendations to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

In my next series of blogs, I will go into detail about the latest best practices recommendations for ransomware prevention and response that are contained in new #StopRansomware Guide. To get started, here are the initial steps that the guide recommends that all organizations undertake to prepare and protect their facilities, personnel, and customers from cyber and physical security threats and other hazards:

  • Join a sector-based information sharing and analysis center (ISAC), where eligible, such as:
    • MS-ISAC for U.S. State, Local, Tribal, & Territorial (SLTT) Government Entities – learn.cisecurity.org/ms-isac-registration. MS-ISAC membership is open to representatives from all 50 states, the District of Columbia, U.S. Territories, local and tribal governments, public K-12 education entities, public institutions of higher education, authorities, and any other non-federal public entity in the United States.
    • Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) for U.S. Elections Organizations – learn.cisecurity.org/ei-isac-registration. (See the National Council of ISACs for more information).
  • Contact CISA at CISA.JCDC@cisa.dhs.gov to collaborate on information sharing, best practices, assessments, exercises, and more.
  • Contact your local FBI field office for a list of points of contact (POCs) in the event of a cyber incident.

Remember, ransomware groups such a CLOP are ruthless, talented and waiting to pounce on any organization, government or private sector, that they are able to compromise. Get started today on educating your personnel and preparing to resist and respond to ransomware attacks.

5 Tips for User Access Auditing in Linux

User access auditing is a critical aspect of maintaining a secure and efficient computing environment. It provides a detailed record of user activities, helping administrators identify potential security risks, ensure compliance with access control policies, and detect any unauthorized or suspicious activities. Regular user access audits can also aid in troubleshooting, system optimization, and forensic investigations. In essence, user access auditing is not just about security, but also about gaining insights into user behavior and system usage, which are invaluable for improving system reliability and performance.

1. Understand the Basics of Linux Permissions: Linux permissions are the first line of defense in securing your system. They determine who can read, write, and execute files. The three types of Linux permissions are User (u), Group (g), and Others (o). Familiarize yourself with the `chmod` command to modify these permissions and the `ls -l` command to view them.

2. Use the `last` Command: The `last` command in Linux provides a list of the last logged-in users on your system. This is a great tool for auditing user access as it allows you to see who has been accessing your system and when. Regularly check this log to keep track of user activity.

3. Audit User Accounts with `cat /etc/passwd`: This command will display a list of all user accounts on your Linux system. Regularly auditing this list can help you identify any unauthorized or inactive accounts that should be removed or disabled to enhance system security.

4. Monitor User Activity with `w` and `who` Commands: The `w` command displays who is currently logged in and what they are doing, while the `who` command shows who is currently logged in. Regularly monitoring user activity can help you identify any suspicious behavior.

5. Leverage Linux Auditing System (Auditd): Auditd is a powerful tool that allows you to monitor almost any event on your Linux system. You can use it to track security-related events, record system calls, and log any changes to your system files. Regularly review the logs generated by Auditd to ensure there are no unauthorized changes or activities on your system.

Regular monitoring and auditing of user activities are crucial to maintaining a secure Linux environment.

 

*This article was written with the help of AI tools and Grammarly.

Maintaining a Well Developed Infosec Program? Piece of cake!

When you mention building a good information security program to most business employees, especially developing and maintaining written information security policies, you’ll see most of them cringe and get that far away look in their eyes. I can understand that completely! Developing and implementing a modern infosec program is a long and often difficult process. You have to go through assessments to ascertain the level of your current infosec program, you have to determine what level of infosec program you need to finally attain and you have to plan exactly how you are going to achieve your information security goals. For most even smallish to medium-size organizations, this can take three years or more. It can make you tired just thinking about it!

However, the unexpected good news about the whole thing is that, once the program is in place, it’s a piece of cake to maintain it! All that is needed is regular reviews and updates of the program particulars to ensure they remain current and effective. On top of that, having a good infosec program in place and well maintained can help you keep your current customers and entice new customers to utilize your services. This is especially true in the modern business environment which is plagued with oodles of very competent cyber-criminals and adversarial nation states who employ everything from malware and zero days to clever attack strategies and mechanisms such as social engineering techniques to steal your money and ruin your business reputation. Let’s face it, if your organization provides or uses business services in the age of supply chain attacks, you truly need to be able to demonstrate information security competency just to keep your head above water.

So how do you begin the process of developing your infosec program? There are so many steps in the process it is natural to feel overwhelmed by the scope of the whole thing. Luckily, there is a fine mechanism out there to help you get off to a good start in implementing your program; this is the Center for Internet Security (CIS) Critical Security Controls assessment. In this assessment, you first consult with the assessor to discuss the particular business and the information security goals you need to achieve to provide strong security. In the next stage of the process, the assessor meets with pertinent staff (usually by teleconference) to ascertain what CIS security controls you currently have in place and what level of maturity they are at. This usually is done in two or three meetings. The assessor then analyzes the results of the assessment and provides your organization with roadmaps for closing the control gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a typical three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months). These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary. As you can see, having this process and roadmaps in place, your organization will have a good start on implementing the program and will quickly lose that feeling of being overwhelmed.

High-Level Project Plan for CIS CSC Implementation

Overview:

Implementing the controls and safeguards outlined in the Center for Internet Security (CIS) Critical Security Controls (CSC) Version 8 is crucial for organizations to establish a robust cybersecurity framework. This article provides a concise project plan for implementing these controls, briefly describing the processes and steps involved.

Plan:

1. Establish a Governance Structure:

– Define roles and responsibilities for key stakeholders.

– Develop a governance framework for the implementation project.

– Create a project charter to outline the project’s scope, objectives, and timelines.

2. Conduct a Baseline Assessment:

– Perform a comprehensive assessment of the organization’s existing security posture.

– Identify gaps between the current state and the requirements of CIS CSC Version 8.

– Prioritize the controls that need immediate attention based on the assessment results.

3. Develop an Implementation Roadmap:

– Define a clear timeline for implementing each control, based on priority.

– Identify the necessary resources, including personnel, tools, and technologies.

– Establish milestones for monitoring progress throughout the implementation process.

4. Implement CIS CSC Version 8 Controls:

– Establish secure configurations for all systems and applications.

– Enable continuous vulnerability management and patching processes.

– Deploy strong access controls, including multi-factor authentication and privilege management.

5. Implement Continuous Monitoring and Incident Response:

– Establish a comprehensive incident response plan.

– Deploy intrusion detection and prevention systems.

– Develop a continuous monitoring program to identify and respond to security events.

6. Engage in Security Awareness Training:

– Train employees on security best practices, including email and social engineering awareness.

– Conduct periodic security awareness campaigns to reinforce good cybersecurity hygiene.

– Provide resources for reporting suspicious activities and encouraging a culture of security.

Summary:

Implementing the controls and safeguards outlined in CIS CSC Version 8 requires careful planning and execution. By establishing a governance structure, conducting a baseline assessment, developing an implementation roadmap, implementing the controls, continuous monitoring, and engaging in security awareness training, organizations can strengthen their security posture and mitigate cyber threats effectively. This concise project plan is a starting point for information security practitioners seeking a robust cybersecurity framework.

If you need assistance, get in touch. MSI is always happy to help folks with CIS CSC assessments, control design, or other advisory services. 

 

*This article was written with the help of AI tools and Grammarly.

FAQ on Software Inventory

1 What is software inventory?

Software inventory refers to keeping track of all software applications and operating systems installed on devices within a network.

2. Why is software inventory important for organizations?

Maintaining an accurate software inventory is essential for any organization. Without proper monitoring and control, unauthorized software and unmanaged devices can pose potential security risks for networks and sensitive data. Knowing which software applications and operating systems are being used can help organizations identify potential vulnerabilities and develop appropriate defense strategies.

3. How can organizations maintain an accurate software inventory?

Organizations can maintain an accurate software inventory by conducting a detailed inventory, implementing controls for unmanaged software, taking continuous inventory, establishing access controls, securing service accounts, maintaining audit logs, and conducting risk assessments.

4. What are the risks of not maintaining an accurate software inventory?

The risks of not maintaining an accurate software inventory include unauthorized software and potential security breaches, difficulty in incident response planning, and non-compliance with regulatory requirements.

5. What are the best practices for software inventory?

The best practices for software inventory include conducting a detailed inventory, implementing controls for unmanaged software, taking continuous inventory, establishing access controls, securing service accounts, maintaining audit logs, and conducting risk assessments.

6. How often should organizations conduct a software inventory?

Organizations should conduct a software inventory regularly (at least monthly) to ensure that all new software and changes to existing software are recorded and tracked.

 

*This article was written with the help of AI tools and Grammarly.

Software Inventory

Background on Software Inventory and CIS CSC Version 8 Safeguards

Software inventory refers to keeping track of all software applications and operating systems installed on devices within a network. This process is crucial for ensuring all systems are updated and secure against potential security risks.

To help organizations maintain accurate inventories of software assets, the Center for Internet Security (CIS) has developed the Critical Security Controls (CSC) Version 8, which includes specific safeguards for software inventory.

These safeguards are designed to help organizations implement effective procedures for creating and maintaining an accurate inventory of all software assets. By following these best practices and safeguards, organizations can reduce their risk of security incidents and potential security breaches.

Why Software Inventory is Essential

Maintaining an accurate software inventory is essential for any organization. Without proper monitoring and control, unauthorized software and unmanaged devices can pose potential security risks for networks and sensitive data. Knowing which software applications and operating systems are being used can help organizations identify potential vulnerabilities and develop appropriate defense strategies.

A detailed inventory can also assist in incident response planning and audits. In the event of a security breach or threat, a comprehensive software inventory can provide a better understanding of the potential impact and how to mitigate it. Furthermore, audits require accurate documentation of assets, including software applications and versions, as this information is critical for compliance and risk management purposes. Overall, investing in a software inventory constitutes an essential aspect of cyber hygiene, serving as a foundational piece for defending against potential security threats.

In sum, maintaining an accurate inventory of software and hardware assets is critical for organizations. It can help reduce the risk of unauthorized software and potential security breaches, support incident response planning, and aid compliance and risk management efforts. By following industry-standard best practices, such as the CIS Critical Security Controls Version 8, organizations can ensure that software inventory procedures are implemented effectively and continuously monitored through ongoing assessment and continuous monitoring.

Best Practices for Software Inventory

Keeping an accurate and up-to-date software inventory is one of the most important steps to protect your organization from security breaches and cyber threats. The following are best practices for software inventory based on CIS CSC version 8 and industry-standard safeguards:

1. Conduct a detailed inventory: Identify all your software applications, versions, and supporting systems. This information should be organized in a way that is easy to access and understand and can be updated regularly.

2. Implement controls for unmanaged software: Unauthorized software poses a significant risk to your organization’s security. Ensure you have controls to prevent employees from installing unapproved software without your knowledge.

3. Take continuous inventory: Your software inventory should be ongoing. Regular checks ensure that all new software and changes to your existing software are recorded and tracked.

4. Establish access controls: Make sure that software applications are accessible only to individuals with a business need. This will help you minimize risks associated with uncontrolled access to software.

5. Secure service accounts: Service accounts have elevated privileges and access to your organization’s assets. Ensuring these accounts are managed and controlled to minimize potential risks is essential.

6. Maintain audit logs: Enable audit trails to track changes to your software inventory. Audit logs should be stored securely and only accessible to authorized personnel.

7. Conduct risk assessments: Regular risk assessments can help you identify vulnerabilities in your software inventory. This information can then be used to minimize risks and strengthen your security posture.

By following these best practices, you can ensure that you keep your software inventory up-to-date and secure. It is essential in preventing cyber threats and protecting your organization’s assets.

Software Inventory Sample Policy

Software inventory is a critical aspect of an organization’s security posture. It helps identify potential vulnerabilities and reduce an organization’s attack surface. This policy is designed to help organizations maintain an accurate software inventory and comply with the CIS Critical Security Controls.

1. Purpose

This policy aims to ensure that all software applications are identified, tracked, and continuously monitored to minimize the risk of unauthorized software and potential security incidents.

2. Scope

This policy applies to all software applications used within the organization and all individuals with access to these applications.

3. Policy

3.1 Software Inventory

An accurate inventory of all software applications and their versions must be maintained by the organization. This inventory must be updated regularly to reflect any changes to the software used by the organization.

3.2 Controls for Unmanaged Software

The installation of unapproved software on organization-owned devices is strictly prohibited. An approval process must be established to ensure that all software applications the organization uses are appropriately vetted, tested, and approved by authorized personnel.

3.3 Continuous Inventory

The software inventory must be continuously monitored to ensure new applications are promptly identified and logged. This process must include a review of access controls to minimize potential risks associated with unauthorized devices and software applications.

3.4 Access Controls

Access to software applications must be restricted to individuals who require the software to perform their job functions. Users must be adequately identified and authorized before granting access to any software application based on their job responsibilities.

3.5 Secure Service Accounts

Service accounts must be carefully monitored and controlled to minimize the risk of unauthorized access to organizational assets. Passwords for service accounts must be complex and changed regularly to maintain the account’s security.

3.6 Audit Logs

Audit logs must be implemented to track changes to the software inventory. These logs must be stored securely and accessible only to authorized personnel.

3.7 Risk Assessments

Regular risk assessments must be conducted to identify potential vulnerabilities in the software inventory. The results of these assessments must be used to develop appropriate controls to minimize risk.

4. Enforcement

Failure to comply with this policy could result in disciplinary action, including termination of employment.

5. Review

This policy will be reviewed and updated annually to ensure compliance with industry best practices and changing security requirements. Any changes to the policy must be approved by the organization’s security team.

Software Inventory Sample Procedures

Software Inventory Sample Procedures:

I. Identify and Classify Software:

a. Review organizational assets and identify software applications that are in use.

b. Classify software applications based on their level of security risk.

c. Assign each software application a unique identifier code.

II. Create a Software Inventory Database:

a. Develop a database to store the information gathered in step I.

b. The database must include the software application’s name, version, unique identifier code, and level of security risk.

c. Ensure access controls are in place for the database.

III. Create a Review Schedule:

a. Establish a schedule for continuously monitoring the software inventory.

b. Include a review of access controls during the review schedule.

IV. Perform Regular Audits:

a. Perform software inventory audits regularly.

b. Ensure unauthorized software is removed or approved according to the organization’s procedures.

V. Assess Risk:

a. Regularly assess risks associated with software in the inventory.

b. Identify potential vulnerabilities and determine appropriate controls.

VI. Implement Security Controls for Software:

a. Based on the risk assessment, implement security controls for the software in the inventory.

b. Monitor these controls regularly to ensure effectiveness.

VII. Document Changes and Updates:

a. Document all changes and updates to the software inventory database.

b. Assign a tracking number to the change or update.

c. Ensure that documentation is accessible only to authorized personnel.

VIII. Establish an Incident Response Plan:

a. Develop an incident response plan for potential security incidents.

b. Ensure the incident response plan includes software inventory control and management procedures.

IX. Conduct Regular Training:

a. Provide regular training to employees on the importance of software inventory management.

b. Ensure employees are aware of the organization’s policies and procedures related to software inventory control.

X. Continuously Monitor:

a. Continuously monitor the software inventory to ensure it is accurate and up-to-date.

b. Implement a system for reporting and tracking anomalies or changes found during monitoring.

By following these procedures, your organization will be able to comply with the CIS Critical Security Controls and industry-standard best practices for software inventory management. Regular review and monitoring of the inventory will reduce the risk of unauthorized software installations and potential security incidents.

 

*This article was written with the help of AI tools and Grammarly.

ChatGPT and other AI Tools Corporate Security Policy Template

As artificial intelligence continues to advance, organizations are increasingly integrating AI tools, such as ChatGPT for content and code generation, into their daily operations. With these technologies’ tremendous potential come significant risks, particularly regarding information security and data privacy. In the midst of this technological revolution, we are introducing a high-level Information Security and Privacy Policy for AI Tools. This comprehensive template is designed to provide a clear, practical framework for the secure and responsible use of these powerful tools within your organization.

About the policy template

The purpose of this policy template is to protect your organization’s most critical assets—proprietary corporate intellectual property, trade secrets, and regulatory data—from possible threats. It emphasizes the principles of data privacy, confidentiality, and security, ensuring that data used and produced by AI tools are appropriately safeguarded. Furthermore, it sets forth policy statements to guide employees and stakeholders in their interactions with AI tools, ensuring they understand and adhere to the best practices in data protection and regulatory compliance.

Why is this important?

The importance of such a policy cannot be overstated. Without proper guidelines, the use of AI tools could inadvertently lead to data breaches or the unauthorized dissemination of sensitive information. An effective Information Security and Privacy Policy provides a foundation for the safe use of AI tools, protecting the organization from potential liabilities, reputational damage, and regulatory sanctions. In an era where data is more valuable than oil, ensuring its security and privacy is paramount—and our policy template provides the roadmap for achieving just that.

More information

If you have questions or feedback, or if you wish to discuss AI tools, information security, and other items of concern, just give us a call at 614.351.1237.  You can also use the chat interface at the bottom of the page to send us an email or schedule a discussion. We look forward to speaking with you.

Template download link

You can get the template from here as a PDF with copy and paste enabled.

*This article was written with the help of AI tools and Grammarly.

5 ChatGPT Prompt Templates for Infosec Teams

In the evolving world of information security, practitioners constantly seek new ways to stay informed, hone their skills, and address complex challenges. One tool that has proven incredibly useful in this endeavor is OpenAI’s language model, GPT-3, and its successors. By generating human-like text, these models can provide valuable insights, simulate potential security scenarios, and assist with various tasks. The key to unlocking the potential of these models lies in asking the right questions. Here are five ChatGPT prompts optimized for effectiveness that are invaluable for information security practitioners.

Prompt 1: “What are the latest trends in cybersecurity threats?”

Keeping abreast of the current trends in cybersecurity threats is crucial for any security practitioner. This prompt can provide a general overview of the threat landscape, including the types of attacks currently prevalent, the industries or regions most at risk, and the techniques used by malicious actors.

Prompt 2: “Can you explain the concept of zero trust security architecture and its benefits?”

Conceptual prompts like this one can help practitioners understand complex security topics. By asking the model to explain the concept of zero-trust security architecture, you can gain a clear and concise understanding of this critical approach to network security.

Prompt 3: “Generate a step-by-step incident response plan for a suspected data breach.”

Practical prompts can help practitioners prepare for real-world scenarios. This prompt, for example, can provide a thorough incident response plan, which is crucial in mitigating the damage of a suspected data breach.

Prompt 4: “Can you list and explain the top five vulnerabilities in the OWASP Top 10 list?”

The OWASP Top 10 is a standard awareness document representing a broad consensus about web applications’ most critical security risks. A prompt like this can provide a quick refresher or a deep dive into these vulnerabilities.

Prompt 5: “What are the potential cybersecurity implications of adopting AI and machine learning technologies in an organization?”

Understanding their cybersecurity implications is essential, given the increasing adoption of AI and machine learning technologies in various industries. This prompt can help practitioners understand the risks associated with these technologies and how to manage them.

As we’ve seen, ChatGPT can be a powerful tool for information security practitioners, providing insights into current trends, clarifying complex concepts, offering practical step-by-step guides, and facilitating a deeper understanding of potential risks. The model’s effectiveness highly depends on the prompts used, so crafting optimized prompts is vital. The above prompts are a great starting point but feel free to customize them according to your specific needs or to explore new prompts that align with your unique information security challenges. With the right questions, the possibilities are virtually endless.

*This article was written with the help of AI tools and Grammarly.

FAQ on Audit Log Best Practices

Q: What are audit logs?

A: Audit logs are records of all events and security-related information that occur within a system. This information is crucial for incident response, threat detection, and compliance monitoring.

Q: Why is audit log management important?

A: Audit log management is essential for every organization that wants to ensure its data security. Without audit logs, organizations would have no way of knowing who accessed what information when or how the incident happened or whether unauthorized users or suspicious activity occurred. Moreover, audit log management supports compliance with industry regulations and guidelines.

Q: What are the best practices for audit log management?

A: To ensure that your audit log management practices meet the CIS CSC version 8 guidelines and safeguard requirements, consider implementing the following best practices:

1. Define the audit log requirements based on industry regulations, guidelines, and best practices.

2. Establish audit policies and procedures that align with your organization’s requirements and implement them consistently across all systems and devices.
3. Secure audit logs by collecting, storing, and protecting them securely to prevent unauthorized access or tampering.
4. Monitor and review audit logs regularly for anomalies, suspicious activity, and security violations, such as unauthorized access attempts, changes to access rights, and software installations.
5. Configure audit logging settings to generate records of critical security controls, including attempts to gain unauthorized access or make unauthorized changes to the network.
6. Generate alerts in real-time for critical events, including security violations, unauthorized access attempts, changes to access rights, and software installations.
7. Regularly test audit log management controls to ensure their effectiveness and meet your organization’s audit log requirements.

Q: What are the benefits of following audit log management best practices?

A: Following audit log management best practices can establish a strong framework for incident response, threat detection, and compliance monitoring. This, in turn, can help safeguard against unauthorized access, malicious activity, and other security breaches, prevent legal and financial penalties, and maintain trust levels with clients and partners.

Q: How long should audit logs be kept?

A: As a general rule, storage of audit logs should include 90 days hot (meaning actively available for immediate review or alerting), 6 months warm (meaning they can be restored within hours), and two years cold (meaning they can be restored within days). However, organizations should define retention periods based on their audit log requirements and compliance regulations. [1] [2]

*This article was written with the help of AI tools and Grammarly.

FAQ on Hardware Inventory

1. What is hardware inventory?

Hardware inventory is the comprehensive tracking and management of all hardware assets owned by an organization, including desktops, laptops, servers, and network devices. It is a required baseline control in CIS CSC Version 8 and most other best practices and regulatory guidance.

2. Why is hardware inventory important?

Hardware inventory is important because it allows organizations to better understand their attack surface and potential vulnerabilities by maintaining a detailed inventory. This data can be used to optimize hardware purchases over time, especially when performance data is also tracked.

3. How often should a hardware inventory be conducted?

It is recommended that a physical inventory of hardware assets be conducted at least once a year or when significant changes occur in the organization.

4. What information should be documented for each hardware asset?

All relevant information for each asset should be recorded, including make, model, serial number, location, owner, and software installed. Performance data is also a plus.

5. Where can I get sample policies and procedures?

You can find some sample policies and procedures here: https://stateofsecurity.com/hardware-inventory/