Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand.
The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom. The loss could cripple a company, to the point of shutting it down. And companies aren’t the only victims. In 2021 alone, an uptick in ransomware attacks has disrupted consumers’ basic needs from oil pipelines to the food supply chain.
The United States Federal Government has taken notice. The House of Representatives has passed five pieces of legislation addressing cybersecurity around critical systems. The Transportation Security Administration (TSA) recently released a new security directive for pipeline operators. An additional response was announced in May 2021 by U.S. President Joe Biden. The “Executive Order on Improving the Nation’s Cybersecurity” (a.k.a. EO 14028) asks federal agencies to create new requirements designed to strengthen their security programs. These requirements are still being determined, but they range from implementing a zero trust architecture to modernizing cybersecurity programs to developing a cloud security strategy.
Section four piqued our X-Force team’s interest the most, mainly because it focuses on the supply chain for critical infrastructure, which as we have seen in many of the most notable data breaches, can be attackers’ top targets. The section, “Enhancing Software Supply Chain Security” includes four themes that tie to building security into the software development lifecycle:
- Baseline Security Standards: The National Institute of Standards and Technology (NIST) will establish a baseline of standards for development of software sold to the U.S. Government, including minimums for verification of code, threat modeling and automated testing.
- Labeling “Secure Software”: A labeling system will be implemented that will reflect comprehensive levels of testing and assessment that a product may have undergone.
- Software Bill of Materials (SBOM): An SBOM will help organizations manage risk by letting them quickly determine which vulnerable software components are in their products.
- Definition of “Critical Software”: NIST will develop a clear definition of software to be covered under the EO. NIST has recommended that the initial EO implementation phase focus on standalone on-premises software that has security-critical functions or poses similar significant potential for harm if compromised.
While these themes are for software suppliers specifically, that pool is larger than you may expect. The federal government touches almost everything in the healthcare, retail, industrial and financial industries.
What are the beginning steps for companies to take today? First, appreciating that most of the requirements under the EO have not yet been identified, review the EO and assess your environment. We recommend looking into four specific areas:
- Do you have multifactor authentication, data encryption and detection and response processes built into your software development environment?
- Do you have tools to maintain trusted source code and are you performing code reviews to find and fix exploitable flaws in that code?
- Do you have tools that can help you identify and remediate known and potential vulnerabilities that may expose your software, devices and connected environment to attackers?
- Is the data about your software code or components, controls on internal and third-party software components, and tools and services present in the software development process up to date? It’s important to assess those processes and controls regularly to make sure you have accurate information and can find and fix any deficiencies.
The EO specifically calls out the importance of software testing. NIST has proposed a minimum set of standards for testing which include threat modeling, penetration testing, code-based analysis (SAST) and dynamic analysis (DAST) against the software code and any related libraries, packages, and services. Remediation of critical vulnerabilities is also highlighted.
Finally, the section highlights the importance of defining incident response processes and controls, which should include 24-7 monitoring and response capabilities.
While this process may seem overwhelming and time consuming, addressing these issues can give your security and compliance programs a widespread boost. Assessing and reassessing your security investments can help you maximize their efficacy and reduce your risk of a crippling compromise. You may also get institutional buy-in from your executive team and board since the federal government is behind this EO. And with more buy-in, comes a shift in company culture. Security may be prioritized from the top down, which may mean more resources and budget.
Addressing the EO can also help get your house in order. You will understand your people, processes, and technology at all times. You will have the opportunity to understand what data you have, where it is flowing, what it controls, and which cloud services are in place.
The federal government has its eyes on security, and we expect that focus to only increase.
If you are seeking to partner with a team of EO experts, IBM Security can help. X-Force is happy to discuss your environment and how the EO may apply.
To learn more, visit: www.ibm.com/security/executive-order-cybersecurity
Associate Partner, X-Force Red
Abby Ross is Associate Partner for X-Force Red, IBM Security's team of veteran hackers. Abby is a seasoned marketing and public relations professional, with ...