Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand.

The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom. The loss could cripple a company, to the point of shutting it down. And companies aren’t the only victims. In 2021 alone, an uptick in ransomware attacks has disrupted consumers’ basic needs from oil pipelines to the food supply chain.

The United States Federal Government has taken notice. The House of Representatives has passed five pieces of legislation addressing cybersecurity around critical systems. The Transportation Security Administration (TSA) recently released a new security directive for pipeline operators. An additional response was announced in May 2021 by U.S. President Joe Biden. The “Executive Order on Improving the Nation’s Cybersecurity” (a.k.a. EO 14028) asks federal agencies to create new requirements designed to strengthen their security programs. These requirements are still being determined, but they range from implementing a zero trust architecture to modernizing cybersecurity programs to developing a cloud security strategy.

Section four piqued our X-Force team’s interest the most, mainly because it focuses on the supply chain for critical infrastructure, which as we have seen in many of the most notable data breaches, can be attackers’ top targets. The section, “Enhancing Software Supply Chain Security” includes four themes that tie to building security into the software development lifecycle:

  • Baseline Security Standards: The National Institute of Standards and Technology (NIST) will establish a baseline of standards for development of software sold to the U.S. Government, including minimums for verification of code, threat modeling and automated testing.
  • Labeling “Secure Software”: A labeling system will be implemented that will reflect comprehensive levels of testing and assessment that a product may have undergone.
  • Software Bill of Materials (SBOM): An SBOM will help organizations manage risk by letting them quickly determine which vulnerable software components are in their products.
  • Definition of “Critical Software”: NIST will develop a clear definition of software to be covered under the EO. NIST has recommended that the initial EO implementation phase focus on standalone on-premises software that has security-critical functions or poses similar significant potential for harm if compromised.

While these themes are for software suppliers specifically, that pool is larger than you may expect. The federal government touches almost everything in the healthcare, retail, industrial and financial industries.

What are the beginning steps for companies to take today? First, appreciating that most of the requirements under the EO have not yet been identified, review the EO and assess your environment. We recommend looking into four specific areas:

  • Do you have multifactor authentication, data encryption and detection and response processes built into your software development environment?
  • Do you have tools to maintain trusted source code and are you performing code reviews to find and fix exploitable flaws in that code?
  • Do you have tools that can help you identify and remediate known and potential vulnerabilities that may expose your software, devices and connected environment to attackers?
  • Is the data about your software code or components, controls on internal and third-party software components, and tools and services present in the software development process up to date? It’s important to assess those processes and controls regularly to make sure you have accurate information and can find and fix any deficiencies.

The EO specifically calls out the importance of software testing. NIST has proposed a minimum set of standards for testing which include threat modeling, penetration testing, code-based analysis (SAST) and dynamic analysis (DAST) against the software code and any related libraries, packages, and services. Remediation of critical vulnerabilities is also highlighted.

Finally, the section highlights the importance of defining incident response processes and controls, which should include 24-7 monitoring and response capabilities.

While this process may seem overwhelming and time consuming, addressing these issues can give your security and compliance programs a widespread boost. Assessing and reassessing your security investments can help you maximize their efficacy and reduce your risk of a crippling compromise. You may also get institutional buy-in from your executive team and board since the federal government is behind this EO. And with more buy-in, comes a shift in company culture. Security may be prioritized from the top down, which may mean more resources and budget.

Addressing the EO can also help get your house in order. You will understand your people, processes, and technology at all times. You will have the opportunity to understand what data you have, where it is flowing, what it controls, and which cloud services are in place.

The federal government has its eyes on security, and we expect that focus to only increase.

If you are seeking to partner with a team of EO experts, IBM Security can help. X-Force is happy to discuss your environment and how the EO may apply.

To learn more, visit: www.ibm.com/security/executive-order-cybersecurity

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…