Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand.

The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom. The loss could cripple a company, to the point of shutting it down. And companies aren’t the only victims. In 2021 alone, an uptick in ransomware attacks has disrupted consumers’ basic needs from oil pipelines to the food supply chain.

The United States Federal Government has taken notice. The House of Representatives has passed five pieces of legislation addressing cybersecurity around critical systems. The Transportation Security Administration (TSA) recently released a new security directive for pipeline operators. An additional response was announced in May 2021 by U.S. President Joe Biden. The “Executive Order on Improving the Nation’s Cybersecurity” (a.k.a. EO 14028) asks federal agencies to create new requirements designed to strengthen their security programs. These requirements are still being determined, but they range from implementing a zero trust architecture to modernizing cybersecurity programs to developing a cloud security strategy.

Section four piqued our X-Force team’s interest the most, mainly because it focuses on the supply chain for critical infrastructure, which as we have seen in many of the most notable data breaches, can be attackers’ top targets. The section, “Enhancing Software Supply Chain Security” includes four themes that tie to building security into the software development lifecycle:

  • Baseline Security Standards: The National Institute of Standards and Technology (NIST) will establish a baseline of standards for development of software sold to the U.S. Government, including minimums for verification of code, threat modeling and automated testing.
  • Labeling “Secure Software”: A labeling system will be implemented that will reflect comprehensive levels of testing and assessment that a product may have undergone.
  • Software Bill of Materials (SBOM): An SBOM will help organizations manage risk by letting them quickly determine which vulnerable software components are in their products.
  • Definition of “Critical Software”: NIST will develop a clear definition of software to be covered under the EO. NIST has recommended that the initial EO implementation phase focus on standalone on-premises software that has security-critical functions or poses similar significant potential for harm if compromised.

While these themes are for software suppliers specifically, that pool is larger than you may expect. The federal government touches almost everything in the healthcare, retail, industrial and financial industries.

What are the beginning steps for companies to take today? First, appreciating that most of the requirements under the EO have not yet been identified, review the EO and assess your environment. We recommend looking into four specific areas:

  • Do you have multifactor authentication, data encryption and detection and response processes built into your software development environment?
  • Do you have tools to maintain trusted source code and are you performing code reviews to find and fix exploitable flaws in that code?
  • Do you have tools that can help you identify and remediate known and potential vulnerabilities that may expose your software, devices and connected environment to attackers?
  • Is the data about your software code or components, controls on internal and third-party software components, and tools and services present in the software development process up to date? It’s important to assess those processes and controls regularly to make sure you have accurate information and can find and fix any deficiencies.

The EO specifically calls out the importance of software testing. NIST has proposed a minimum set of standards for testing which include threat modeling, penetration testing, code-based analysis (SAST) and dynamic analysis (DAST) against the software code and any related libraries, packages, and services. Remediation of critical vulnerabilities is also highlighted.

Finally, the section highlights the importance of defining incident response processes and controls, which should include 24-7 monitoring and response capabilities.

While this process may seem overwhelming and time consuming, addressing these issues can give your security and compliance programs a widespread boost. Assessing and reassessing your security investments can help you maximize their efficacy and reduce your risk of a crippling compromise. You may also get institutional buy-in from your executive team and board since the federal government is behind this EO. And with more buy-in, comes a shift in company culture. Security may be prioritized from the top down, which may mean more resources and budget.

Addressing the EO can also help get your house in order. You will understand your people, processes, and technology at all times. You will have the opportunity to understand what data you have, where it is flowing, what it controls, and which cloud services are in place.

The federal government has its eyes on security, and we expect that focus to only increase.

If you are seeking to partner with a team of EO experts, IBM Security can help. X-Force is happy to discuss your environment and how the EO may apply.

To learn more, visit: www.ibm.com/security/executive-order-cybersecurity

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read