Wednesday, November 29, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

DHS Develops Baseline Cybersecurity Goals for Critical Infrastructure

Researcher by Researcher
October 30, 2022
in Cybersecurity
0
DHS Develops Baseline Cybersecurity Goals for Critical Infrastructure
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


The DHS on Thursday announced Cybersecurity Performance Goals (CPGs) to help organizations — particularly in critical infrastructure sectors — prioritize cybersecurity investments and address critical risks.

The CPGs were developed by the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with NIST based on feedback from partners in public and private sectors.

They are a result of the White House’s efforts to improve the US’s cybersecurity, and the DHS says the goals are unique in that they address risk not only to individual entities, but also the aggregate risk to the nation.

CPGs are a set of cross-sector recommendations that can be highly useful to an organization in securing its systems, but they are voluntary — organizations are not required by the government to use them. They are designed to complement NIST’s Cybersecurity Framework.

CPGs are described as baseline cybersecurity performance goals focusing on a prioritized subset of IT and OT security practtices that can help organizations significantly reduce the likelihood and impact of risks and adversary techniques. In addition, they can serve as a benchmark for measuring and improving cybersecurity maturity.

CPG categories include account security, device security, data security, governance and training, vulnerability management, supply chain / third party, and response and recovery.

These categories cover detection of unsuccessful login attempts, password-related issues, MFA, identity and access management, hardware and software approval processes, disabling macros, asset inventories, device configurations, mitigating risks associated with unauthorized devices, logging, and sensitive data protection.

They also cover cybersecurity leadership, training, mitigating known vulnerabilities, deploying security.txt files, addressing internet exposure risks, third-party validation of cybersecurity control effectiveness, vendor security requirements, supply chain incident reporting, incident response plans, and system backups.

CPG

Organizations have been provided a checklist that can be used to prioritize goals based on cost, complexity and impact. CISA has also set up a page on GitHub where organizations can submit feedback.

While industry professionals applaud the initiative, some have pointed out some issues. Ron Fabela, CTO and co-founder at SynSaber, noted that the CPGs come with some challenges specific to OT systems.

“Top down guidance from CISA or other agencies are often hard to apply and measure across such large and diverse critical infrastructure sectors. Difficult to measure criteria for success are left to those doing the measurement. There’s also the tension between performance based goals that are not overly prescriptive (as they should be) and guidance that is non-applicable to the audience,” Fabela said.

“Even within this report and checklist asset owners are left analyzing what is applicable and feasible. Many of the goals have unique callouts for ‘OT’ and plenty of caveats such as ‘where technically feasible’, a phrase that has been the bane of effective cybersecurity governance of ICS,” he added.

Chris Gray, AVP of cybersecurity at Deepwatch, noted that while the CPGs are a subset of the controls present in NIST’s Cybersecurity Framework, they can still be useful.

“There is little new here other than some additional classification around IT/OT and saving the agency/group/service from having to go through the process of selecting and prioritizing controls. That is absolutely a help. Some might view it as an ‘easy button’ or ‘lazy’, but in industries where there may not be a lot of security expertise, any help is good help. In addition, these controls SHOULD help establish a minimum baseline of expected activities,” Gray said.

Related: White House Unveils Artificial Intelligence ‘Bill of Rights’

Related: White House Adds Chemical Sector to ICS Cybersecurity Initiative

Related: Biden Signs Executive Order on US-EU Personal Data Privacy

Related: Industry Reactions to Govt Requiring Security Guarantees From Software Vendors

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:
Tags:





Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: BaselinecriticalCybersecurityDevelopsDHSGoalsinfrastructure
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

November 28, 2023
Staying safe when shopping online this holiday season

Staying safe when shopping online this holiday season

November 28, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 28/11

November 28, 2023
North Korean Hackers Exploiting Zero-day Vulnerabilities

North Korean Hackers Exploiting Zero-day Vulnerabilities

November 28, 2023

Recent Posts

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

November 28, 2023
Staying safe when shopping online this holiday season

Staying safe when shopping online this holiday season

November 28, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 28/11

November 28, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved