Cybersecurity executive order targets two common attack vectors
Last week’s Presidential order takes aim at software vulnerabilities and compromised credentials
Last week, the Administration released an Executive Order (EO) on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”
There are important elements within this order that will help address two of the most common attack vectors: lost, stolen or weak passwords or credentials and software vulnerabilities.
Within the EO, Federal Agencies will be immediately required to use the NIST Framework for Improving Critical Infrastructure Cybersecurity. The Framework provides guidance to agencies and organizations for reducing cybersecurity risks. The guidance touches many areas of IT and operations, including emphasis on stronger identity and access management (IAM) and authentication, which helps address attacks targeted at compromised credentials.
Here are a few reasons why IAM should be a focus for agencies (and businesses):
In addition, the EO cites a second common attack vector — software vulnerabilities – as being among the highest cybersecurity risks faced by executive departments and agencies. Whether they’re known vulnerabilities which simply go unpatched – as we’ve seen in the recent ransomware attack – or weaknesses exploited by zero-day attacks, the software that is at the heart of our critical infrastructure is a favorite target for attack.
The best way to combat this vulnerability is a complete change in how software has been developed. Historically, security has often been an afterthought for developers who primarily are focused on delivering features and functionality. Security was often bolted on after the application was deployed. Web application security is a perfect example – applications were deployed, but security and access control wasn’t added until after deployment.
Security needs to be built into the development process and baked into every aspect of application architecture, design, development and deployment.
With 90 percent of security incidents resulting from exploits against defects in software, addressing this issue could have a significant impact on cybersecurity and our critical infrastructure. CA has jumped into the application security market with its recent acquisition of Veracode, a leader in securing the world’s software.
We know the only way to minimize attacks on application vulnerabilities is to fully integrate application security into the software development lifecycle. Modern paradigms like DevSecOps shift security left, bringing it into the development process sooner.
The executive order is a solid step towards improving cybersecurity for both the federal government and critical infrastructure. CA looks forward to working with both government and private sector entities in adopting the best practices outlined in the Framework, and in addressing known and unknown vulnerabilities in code.