As new software vulnerabilities surface and the ransomware industry trends toward the “as-a-service” business model, industry and federal cyber leaders recommend key tools like software bills of materials (SBOMs), continuous authorization to operate (cATO) and more aggressive cyber hygiene practices for improving software security.
In a new ransomware advisory, the Cybersecurity and Infrastructure Security Agency (CISA) listed software vulnerabilities, stolen remote desktop controls, phishing attacks via email, ransomware attacks timed to holidays and weekends, ransomware attacks targeting the cloud and “ransomware as a service” as top cybercrime trends in 2021. CISA expects these to only continue this year.
In a statement accompanying a ransomware advisory this week, CISA Director Jen Easterly urged private companies and federal agencies to consistently report unusual network activity, cyber vulnerabilities and incidents to CISA and the FBI so they can address them and warn other at-risk organizations.
“We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim,” Easterly said.
Easterly also encouraged aggressive cyber hygiene practices like timely patching, monitoring remote desktop controls, and implementing user training programs to help employees recognize malicious emails.
The Defense Department wants to take software security a step further. Describing routine scanning and patching as no longer satisfactory for a workable cyber strategy, a new DOD memo advocates for cATO to improve software security throughout the department.
During a Senate Homeland Security and Governmental Affairs Committee hearing on the Log4j vulnerability identified in November 2021, industry witnesses warned Congress about the unavoidability of cyberattacks, but said industry and federal agencies “could be better” about software version currency to avoid vulnerabilities.
“The ability to quickly update to the most secure and up-to-date versions remains a significant hurdle for the software industry,” said David Nalley, president of the Apache Software Foundation. Nalley also suggested SBOMs as a path toward improved software security.
Log4j, an Apache software application and Java-based logging framework designed to record operating events, was developed from an open source software library and is, as Nalley pointed out, ubiquitous across the software industry.
The Log4j vulnerability, dubbed Log4Shell, highlights longstanding security concerns surrounding open source software.
“Every stakeholder in the software industry — including its largest customers, like the federal government — should be investing in software supply chain security,” Nalley said.
Cisco Systems Senior Vice President and Chief Security and Trust Officer Brad Arkin said CISA’s Joint Cyber Defense Collaborative (JCDC), which Easterly stood up in August 2021, enabled an open line of communication between Cisco, other industry partners and federal cyber responders during the Log4j incident.
“Private-sector risk prioritization efforts greatly benefit from the government sharing readily actionable cyber threat information at the lowest possible classification, which then enables their rapid, timely and widespread dissemination,” Arkin said. “Tools like SBOMs have the potential to help coordinate efforts across the entire ecosystem to make it easier to achieve good outcomes despite the inevitable presence of these vulnerabilities.”