Recently, a ransomware attack struck Colonial Pipeline, shutting it down and impacting fuel supplies across the Eastern United States. Within days, the president issued a cybersecurity Executive Order to shore up the U.S. government’s stance on protection.
Cybersecurity professionals should celebrate any resolution taking these threats more seriously, but expectations need to be tempered. Initially, this announcement is unlikely to change much for the average company, school, or municipality.
Before real relief is provided, these comprehensive changes will take years to implement. Not only that, but they could also lead to more regulation complexity.
In the meantime, new vulnerabilities will still be discovered, and corresponding patches will continue to be released. Organizations must take cybersecurity matters into their own hands, without expectations for viable public resources anytime soon.
What does the Cybersecurity Executive Order Cover?
The 34 pages of the executive order contain many mandates, and currently targets the government and its vendor supply chain.
A sampling of the cybersecurity Executive Order mandates include:
- The nullification of contract terms and restrictions that prevent sharing of threat or incident information with investigators.
- Vendors must cooperate and share information with federal investigative agencies.
- Federal best practices must improve and move towards zero-trust architecture, cloud architecture, and network segmentation.
- Software supply chains must be inspected and certified from end to end.
- A Cyber Safety Review Board will be established to review attacks.
- A standardized response plan to attacks must be developed for all agencies.
- The government must adopt a centralized Endpoint Detection and Response solution.
As an executive order, these directives are subject to change – not a permanent congressional law. Additionally, it will be interesting to see how strictly the government follows the timelines laid out in the order. This will go a long way in determining how seriously cybersecurity is taken.
Aside from government agencies, the impact of the presidential order will take a long time to be felt – if ever.
Major questions are also raised as a result of the order.
For example, in the future will civilian organizations be required to share information with the government about attacks? Will any cybersecurity technology, such as zero-trust architecture, be required for specific industries (energy, utilities, etc.)?
Although presently only government agencies and vendors are affected by the order, future regulations could change that.
Corporate-Wide Shutdowns can be Avoided
The draft of the president’s 34-page mandate likely began weeks ago, but the recent high-profile shutdown of Colonial Pipeline certainly provides justification. However, most of the executive order revolves around preventing attacks – what about preventing full system failures?
Complete shutdowns such as these can and should be avoided. When cyberattacks occur, hackers spread across as much of a network as they can reach. Yet, they only easily travel through networks with shared administrative permissions.
Network segmentation provides resilience. Even if a portion of a company’s network system is compromised and forced to close, unaffected segments continue to function normally.
For small companies, network segmentation can be cost prohibitive, but companies much smaller than Maersk or Colonial can create segments at a reasonable cost. Companies, schools, or hospitals that cannot afford to fully shut down should always consider investing in network segmentation.
Problems and Patches for WiFi, Windows, and More
Aside from the headline-grabbing pipeline attack, the month of May continued the high-volume vulnerability trend, with many patches added to an IT team’s to-do list.
Recently, it was revealed that all WiFi devices suffer from at least one of a variety of vulnerabilities discovered by researchers, collectively named FragAttacks.
FragAttacks do not have active exploits but do affect devices built as early as 1996. A word of caution with older equipment, however: older models tend to lack support or be lower priorities for large vendors to patch.
IT teams need to inspect WiFi routers as well as all WiFi enabled devices and create a map of what firmware can be updated or discontinued. Critical equipment that cannot be patched or replaced will need to be isolated very carefully to prevent future attacks.
May’s Microsoft patch fixed 55 vulnerabilities – including 4 critical vulnerabilities – in products such as Microsoft Exchange Servers and Internet Explorer. Adobe, Android, Apple, Cisco, SAP, and VMware also released patches recently.
Get the Right Support
IT teams will certainly have their hands full with testing, applying patches, and verifying installs for quite a while.
If your team needs help with patching, creating network segmentation, or tracking down WiFi devices, contact Ideal Integrations at 412-349-6680 or compete the form below.
Our network and cybersecurity experts are ready and willing to help across a full spectrum of services from special projects to ongoing outsourcing.