Informed by U.S. cyber intelligence and real-world events, each CISA Insight provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-federal partners can implement. This page is continuously updated to reflect new CISA Insights as they are made available.
Actions to Counter Email-Based Attacks on Election-Related Entities
The Threat and How to Think About It
Malicious cyber actors have been known to use sophisticated phishing operations to target political parties and campaigns, think tanks, civic organizations, and associated individuals. Email systems are the preferred vector for initiating malicious cyber operations. Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing.1,2
Cyber actors launching phishing attacks often seek to entice users to do one of three things.
- Click on a link and turn over credentials (username and password), so the cyber actor can gain access to an account.
- Open an attachment or click a link that delivers the cyber actor’s malware.
- Click a link to a website that the cyber actor monitors; this verifies that the email account is valid for subsequent targeting.
Cyber actors can also use credential-based techniques to gain access to accounts in various ways.
- Password spraying attacks rely on cyber attackers using a commonly used password against multiple usernames.
- Brute-force attacks rely on cyber attackers knowing the username and attempting several passwords.
- Credential stuffing attacks rely on cyber attackers using usernames and password combinations gained from data breaches against other accounts.
To protect against these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations involved in any election-related activities prioritize the protection of accounts from email-based attacks by:
- Using provider-offered protections, if utilizing cloud email.
- Securing user accounts on high value services.
- Implementing email authentication and other best practices.
- Securing email gateway capabilities.
When Using Cloud Email, Use Provider-Offered Protections
Organizations that use cloud email providers should enable various protections their provider offers.
- Require multi-factor authentication (MFA) for all user email accounts.
- Use either physical security keys (such as those following the FIDO2 standard) or authentication apps (such as those following the TOTP algorithm).
- Physical security keys offer protection against phishing attacks by working as a second, physical factor of authentication and only authenticating when a user is on the correct website. Thus, even if a user is tricked into supplying their password to a phishing website, the physical security key will still block attackers from accessing their account.
- Authentication apps work by having a user enter a code from an app. Although authentication apps can still be vulnerable to phishing attacks, they offer more protection than SMS or email-based MFA.
- Only use SMS and email-based MFA methods if other forms of MFA are unavailable. SMS and email-based MFA methods are vulnerable to phishing and SIM swap attacks, though they still offer better protection than password-based single-factor authentication.
- Use either physical security keys (such as those following the FIDO2 standard) or authentication apps (such as those following the TOTP algorithm).
- When available, enroll user accounts in advanced protection services.
- These services provide the highest level of protection against phishing and other attacks, applying robust filtering techniques, with many requiring physical security keys. For instance, Google offers an Advanced Protection service for all users, and Microsoft offers an Advanced Threat Protection service. Google also offers an Enhanced Account Protection service at no cost to at-risk election-related organizations. Note: CISA includes these references with the intention of highlighting the types of services available; doing so does not constitute endorsement of any particular company or service.
Secure User Accounts on High-Value Services
Protect individual accounts on high-value services to mitigate the impact of a successful phishing attack.
- Enroll in a password manager service for your organization and encourage employees to use it.
- Password managers protect against phishing by generating secure, random passwords and automatically filling passwords when visiting websites. Password managers will not automatically enter passwords on malicious websites, giving employees a crucial cue that they should not proceed.
- Require MFA for user accounts on all high-value services when possible.
- If possible, deploy physical security keys for access to high-value services.
- After physical keys, authentication app-based MFA (TOTP) is the next safest option, followed by SMS and email-based MFA. Use SMS and email-based MFA only when no other MFA options are available.
- If a high-value service does not support any form of MFA, consider switching to a similar service that does offer MFA.
- Eliminate unnecessary password composition and rotation requirements in favor of secure, human-friendly requirements.
- Recent research shows that excessive password requirements (such as including special characters or numbers) tend to cause user frustration and may reduce security.3 Consider adopting password requirements to match guidance from the National Institute of Standards and Technology (NIST) in Special Publication 800-63B, which recommends long, human-friendly, memorable passwords (e.g., sequences of several words).
- Consider registering your organization for a password breach monitoring service.
- Password reuse is a leading cause of account compromise. Attackers often use breached credentials to attempt to access other services for which the victim may have reused credentials. In addition to encouraging use of password managers to reduce password reuse, organizations should consider monitoring password breaches for exposed employee credentials. Several vendors offer password breach monitoring services and will send notifications to an organization if employee passwords appear in a data breach.
Implement Email Authentication and Other Best Practices
- Enable STARTTLS.
- When enabled by a receiving mail server, STARTTLS signals to a sending mail server that the capability to encrypt an email in transit is present. While it does not force the use of encryption, enabling STARTTLS makes on-path attacks more difficult.
- Disable outdated protocols and ciphers.
- Ensure that outdated, insecure protocols—such as SSLv2 and SSLv3—as well as 3DES and RC4 ciphers are disabled on mailing servers.
- Implement SPF and DKIM.4
- SPF and DKIM allow a sending domain to effectively “watermark” their emails, making unauthorized emails (e.g., spam, phishing email) easy to detect.
- Configure a DMARC policy of “reject”, if possible, or at minimum, “p=none”.5
- When an email is received that does not pass an organization’s posted SPF/DKIM rules, DMARC tells the recipient what the domain owner would like done with the message.
- Setting a DMARC policy of “reject” provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, DMARC reports provide a mechanism for an organization to be made aware of the source of an apparent forgery—information that they would not normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.
Secure Email Gateway Capabilities
- Organizations operating their own email gateways should secure email gateways, appliances, and services to intercept phishing emails.
- Deploy an email filter solution that screens based on headers and malicious content (e.g., infected attachments), categorizes email, inspects Uniform Resource Locators (URLs) against reputation feeds, and has customizable rule-based filters.
- Strip and/or block emails containing active content (e.g., ActiveX, Java, Visual Basic for Applications [VBA]), or macros) by default. Administrators should allowlist such content only for legitimate reasons.
- Consider reformatting hyperlinks in the body of email messages by rewriting URLs as plaintext.
- Deploy sandboxing or detonation chambers to safely isolate malicious links.
- Ensure detection signatures and blocklists are up to date.
- Block email beyond a certain size and/or containing attachments that exceed a certain size.
- Consider legitimate needs to receive large file sizes and limit file size to suit organizational need.
- Block certain file extensions—including unknown or unused attachments that should not typically be transmitted over email—to prevent vectors such as .scr, .exe, .pif, and .cpl.
- To the extent feasible, filter out mislabeled file extensions, for example, an executable (.exe) file labeled as a document (.doc) file.
- Open and analyze compressed and encrypted formats, such as .zip and .rar, that attackers may use to conceal malicious attachments in obfuscated files or information. If unable to open and analyze such content, consider blocking encrypted .zip and other files. However, blocking attachments might keep legitimate files from reaching recipients, which may hinder business functions. Consider using workarounds, such as allowlisting (e.g., trusted senders), to limit negative impacts to operations.
- Consider removing the encrypted content from the message and putting it in an out-of-band delivery solution (e.g., web-based portal), replacing the content with a token/link in the original message.
- Ensure all email gateways, appliances, or services are configured to use only approved Domain Name System (DNS) resolvers and forwarders.
- Consider implementing warning banners to alert users about emails (particularly those with links and attachments) that originate from outside the organization (place trusted domains on your allowlist to reduce unnecessary implementation).
COVID-19 Disinformation Activity
False and misleading information related to the coronavirus (COVID-19) are a significant challenge. This CISA Insight provides an overview of coronavirus disinformation and steps that can be taken to reduce the risk of sharing inaccurate information with your friends and family.
After the initial outbreak of COVID-19, disinformation campaigns appeared online. Information manipulation and fabrication about COVID-19’s origin, scale, government response, and/or prevention and treatment surged as creators leveraged people’s increased uncertainty.
China and other authoritarian governments have promoted false claims about the origins of the virus in an attempt to shift blame overseas and divide free societies against themselves. Common tactics they use include censoring news, injecting false narratives onto social media platforms, and promoting slick government-produced videos.
Chinese state-backed media continue to promote content emphasizing China’s claimed success rapidly controlling the virus, while suggesting the U.S. and other Western countries have failed in their response. These narratives are amplified on a variety of social media platforms.
5G and COVID
Disinformation campaigns have promoted false narratives that 5G technology suppresses immune systems and that 5G spectrum bands spread the virus.
Government Response to COVID-19
Disinformation involving the government’s response to COVID-19 has been circulated to cause confusion among Americans, including false claims the National Guard Bureau would be supporting nationwide quarantines.
Prevention and Treatment of COVID-19
False information about COVID-19 treatments continue to circulate on social media, including potentially extremely harmful suggestions to drink bleach or chlorine dioxide, to use vitamin C or boiled garlic, or that illicit drug activity can “cure” the virus
There are simple steps you can take to minimize the likelihood of amplifying disinformation.
- Go to trusted sources of information like www.Coronavirus.gov. FEMA has also established a coronavirus rumor control website at www.FEMA.gov/coronavirus/rumor-control where you can learn more about specific disinformation campaigns.
- Check the source of the information.
- Search for other reliable sources of information on the issue.
- Think before you link – take a moment to let your emotions cool down before sharing anything online.
CISA’s Role as the Nation's Risk Advisor
CISA collaborates with industry and government partners to help organizations understand and counter critical infrastructure and cybersecurity risks associated with the malicious activities of nation-state and non-state actors. CISA provides recommendations to help partners stay vigilant and protected against potential foreign influence operations.
Risk Management for Novel Coronavirus (COVID-19)
The Threat and How to Think About It.
This product is for executives to help them think through physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus, or COVID-19. According to the U.S. Centers for Disease Control and Prevention (CDC), COVID-19 has been detected in locations around the world, including multiple areas throughout the U.S. This is a rapidly evolving situation and for more information, visit the CDC’s COVID-19 Situation Summary.
COVID-19 Risk Profile
On March 11, the COVID-19 outbreak was characterized as a pandemic by the WHO. The virus that causes COVID-19 is infecting people and spreading easily from person-to-person. Cases have been detected in most countries worldwide and community spread is being detected in a growing number of countries.
In anticipation of a broader spread of COVID-19, globally and within the United States, organizations should plan for continued impacts to their workforce and operations.
CISA's Role as the Nation's Risk Advisor
The Cybersecurity and Infrastructure Security Agency (CISA) is working closely with partners to prepare for possible impacts of a COVID-19 outbreak in the United States. COVID-19 containment and mitigation strategies will rely heavily on healthcare professionals and first responders detecting and notifying government officials of occurrences.
CISA will use its relationships with interagency and industry partners to facilitate greater communication, coordination, prioritization and information-sharing between the private sector and the government.
As the situation changes, the virus may affect essential operations for businesses and federal, state, local, tribal, and territorial (SLTT) government entities.
To stay current with CISA's efforts regarding the COVID-19, visit: cisa.gov/coronavirus.
What's in this guide:
- Actions for Infrastructure Protection
- Actions for your Supply Chain
- Cybersecurity for Organizations
- Cybersecurity Actions for your Workforce and Consumers
Visit the CDC Website, or contact CDC for COVID-19 related issues or to share critical and timely information by sending an email to firstname.lastname@example.org and email@example.com or by calling 1-800-232-4636.
Actions for Infrastructure Protection
Planning and preparedness are critical to reducing the impact of COVID-19 on the Critical Infrastructure community, and CISA recommends organizations take the following precautions to prepare for possible impacts from COVID-19:
- Designate a response coordinator and assign team members with specific responsibilities.
- Implement a formal worker and workplace protection strategy.
- Train workers on personal and worksite protection strategies.
- Establish and test flexible worksite (e.g., telework) and work hour policies.
- Identify essential functions, goods, and services your organization requires to sustain its own operations and mission.
- Determine how long your organization can expect to continue providing essential functions, goods, and services in potentially reduced quantities.
- Identify and prioritize suppliers of critical products and services for your organization.
- Continuously assess ongoing preparedness activities to adjust objectives, effects, and actions based on changes in the business and greater economic and social environments.
- Monitor federal, state, local, tribal, and territorial COVID-19 information sites for up-to-date information on containment and mitigation strategies.
Actions for your Supply Chain
- Assess your organization’s supply chain for potential impacts from disruption of transport logistics and international manufacturing slowdowns resulting from COVID-19.
- Discuss with those suppliers any challenges they may be facing or may expect to face due to the ongoing situation.
- Identify potential alternate sources of supply, substitute products, and/or conservation measures to mitigate disruptions.
- Communicate with key customers to keep them informed of any issues you have identified and the steps you are taking to mitigate them.
Cybersecurity for Organizations
As organizations explore various alternate workplace options in response to COVID-19, CISA recommends examining the security of information technology systems by taking the following steps:
- Secure systems that enable remote access.
- Ensure Virtual Private Network and other remote access systems are fully patched.
- Enhance system monitoring to receive early detection and alerts on abnormal activity.
- Implement multi-factor authentication
- Ensure all machines have properly configured firewalls as well as anti-malware and intrusion prevention installed.
- Test remote access solutions capacity or increase capacity
- Ensure continuity of operations plans or business continuity plans are up-to-date.
- Increase awareness of information technology support mechanisms for employees who work remotely.
- Update incident response plans to consider workforce changes in a distributed environment.
Cybersecurity Actions for your Workforce and Consumers
Malicious cyber actors could take advantage of public concern surrounding COVID-19 by conducting phishing attacks and disinformation campaigns. Phishing attacks often use a combination of email and bogus websites to trick victims into revealing sensitive information. Disinformation campaigns can spread discord, manipulate the public conversation, influence policy development, or disrupt markets.
CISA encourages individuals to guard against COVID-19-related phishing attacks and disinformation campaigns by taking the following precautions:
- Avoid clicking on links in unsolicited emails and be wary of email attachments.
- Do not reveal personal or financial information in emails, and do not respond to email solicitations for this information.
- Review CISA's Tip on Avoiding Social Engineering and Phishing Scams for more information on recognizing and protecting against phishing.
- Review the Federal Trade Commission's blog post on coronavirus scams for information on avoiding COVID-19 related scams.
- Use trusted sources-such as legitimate, government websites for up-to-date, fact-based information about COVID-19.
To view or download this document, please go to cisa.gov/coronavirus/insights.
FY20 Preparedness Grant Guidance on Cyber, Soft Target, and Elections Security Investments
The Secretary of Homeland Security has released the Fiscal Year (FY) 2020 Preparedness Grant guidance. It directs and encourages investment in the areas of cybersecurity, soft targets and crowded places, intelligence and information sharing, emerging threats, and elections infrastructure security. These articulated priorities reflect the transformation underway in our shared risk environment and threat landscape. As a Nation with increasing reliance on collective preparedness and response, multi-disciplinary collaboration, and shared skills and resources, we must stay ahead of our adversaries. The challenges confronting State, Local, Tribal, and Territorial jurisdictions should and do inform how we prevent, prepare, protect, and respond to all-hazard situations, as well as domain-specific security conditions. The changes in the FY20 grant guidance reflect great opportunity for addressing emergent risks, closing historically underinvested capability and capacity gaps, and providing investment for high-performance innovations.
As the Nation’s risk advisor, the Cybersecurity and Infrastructure Security Agency (CISA)—in collaboration with industry and government partners—helps organizations understand, reduce, and mitigate the risk of nation-state and non-state actors’ malicious activity. CISA is providing recommendations to help partners frame the FY20 Preparedness Grant opportunities as a further means to remain vigilant and protected against potential cyber and physical threats. The following considerations assist in answering the questions: How should I think about these investments and set priorities? Where does CISA see the greatest areas of risk-based investment need? Where can I find resources to consult, and get assistance in shaping investment justifications? Understanding that this is a long-term process, CISA plans to work closely with the Federal Emergency Management Agency, and you as our partner, on these new investment priorities—helping you beyond FY20 with technical assistance and other support.
As the dependence on and vulnerabilities to information technologies continue to expand, State, Local, Tribal, and Territorial agencies must keep pace by deploying consensus cybersecurity best practices. Involve Chief Information Officers and Chief Information Security Officers as you consider the following:
- Fundamentals. Focus on training staff, understanding who is and what is on your networks, protecting your data, and planning for resiliency, including cyber incident response plans at state and local levels.
- Investment. Invest in transparent, enterprise-wide capabilities that minimize attack surface, disrupt malicious connections, and ensure recoverability of normal operations.
- Holistic View. Take regional or state-wide approaches, increasing effectiveness and efficiency.
Soft Targets and Crowded Places
Sports venues, shopping venues, schools, transportation systems, as well as other soft targets and crowded places are easily accessible to large numbers of individuals and often have limited security or protective measures in place. State, Local, Tribal, and Territorial agencies should consider focusing their investments in the following areas:
- Plan. Prepare government, businesses, and the public to prevent attacks on soft targets.
- Train. Identify and report suspicious behavior so it can be addressed.
- Protect. Protect against acts of violence and unmanned aircraft systems.
- Prepare. Prepare and respond to active assailants and bombings.
When allocating resources to assist in election security, state and local jurisdictions are encouraged to follow guidance from their state election officials, the Election Assistance Commission, CISA’s Election Security Resource Guide, and the Election Infrastructure Government Coordinating Council Funding Considerations document. This guidance includes:
- Plan. Establish processes and implement best practices to add resilience to America’s elections.
- Prepare. Train and exercise to ensure everyone understands their role in election security.
- Invest. Invest in systems and associated security controls specific to election infrastructure.
- Investment in Network Architecture and Cybersecurity Assessments. A full system architecture review can be a critical starting point for risk mitigation decisions. Findings should drive future investments.
- Data Protection, Backup, and Recovery. Consider investing in technologies to protect data critical to your agency’s mission, to include voter registration databases. Also consider capabilities that automatically and continuously back up your business-critical data and system configurations as they change.
- DNS Filtering Services. Sometimes referred to as Domain Name Service Blocking or Firewall, consider DNS filtering services with integrated threat intelligence to filter and prevent establishment of connections to unauthorized websites, suspicious domain names, and known malicious domain names associated with malware and phishing.
- Patch and Update Management. Consider capabilities that keep you aware of the status of assets and shorten the time needed to obtain and deploy software and firmware patches.
- Application to Emergency Communications. Apply best practices to the protection of Public Safety Answering Points; include foundational cybersecurity measures as part of a transition to Internet Protocol-based networks supporting Next Generation 9-1-1.
- DMARC. Domain-based Message Authentication, Reporting, and Conformance is an email authentication protocol that protects again email spoofing.
- Training and Exercises. Train staff to reduce susceptibility to phishing attacks, promote general cybersecurity awareness, and conduct table top exercises to improve resilience.
- Get on DotGov. The .gov top-level domain is a more secure environment for bona fide U.S.-based State, Local, Tribal, and Territorial government organizations.
- Building Cyber Liaison Programs. Establish liaisons, or "navigators," to provide practical cybersecurity knowl-edge, support, and services to State, Local, Tribal, and Territorial agencies and local election officials.
Note: Many of the cybersecurity-focused investment considerations outlined above will also provide security and resilience benefits for election infrastructure.
Soft Targets and Crowded Places
Based on the Securing Soft Targets and Crowded Places Resource Guide, investments to consider include:
- Assessment Teams. Develop assessment teams, to include security planning activities and training.
- Risk Management. Assess critical sites, such as schools, polling and caucus locations, and other public venues.
- Training and Exercises. Train staff and participate in tabletop exercises and drills to prepare for safety incidents.
- Implement Best Practices. Incorporate assessment results into emergency operations plans.
State, Local, Tribal, and Territorial agencies should also consider how investments within the grant guidance can improve school safety. Resources to support threat assessment, emergency operations planning, and training and exercises to promote safer and more resilient schools can be found at Schoolsafety.gov.
To engage with CISA Regional personnel is in your area of operation, please contact the CISA at firstname.lastname@example.org. CISA operates ten (10) Regional offices that provide stakeholder services and resources that can help shape investment justifications. Some of options and considerations may be long-term in nature. Early engagement with regional personnel who live and work in your communities will allow for more effective security planning for your specific organization.
For more information visit CISA.gov
Enhancing Chemical Security During Heightened Geopolitical Tensions
The Threat and How to Think About It
In light of recent international events with the potential for retaliatory aggression against the U.S. and our critical infrastructure, CISA urges facilities with chemicals of interest (COI)—whether tiered or untiered under the Chemical Facility Anti-Terrorism Standards (CFATS) program—to consider enhanced security measures to decrease the likelihood of a successful attack. As noted in the recent National Terrorism Advisory System (NTAS) Bulletin, certain offensive cyber operations have been attributed to the Iranian government, which allegedly has targeted a variety of industries and organizations, including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base.
As of January 15, 2020, tiered CFATS facilities are not being required to implement the heightened security measures under Risk-Based Performance Standards (RBPS) 13 and 14 of their security plans. CISA is monitoring the intelligence information and will inform high-risk chemical facilities if there are changes that warrant activation of RBPS 13 or 14.
Things to Do Today
- Adopt a state of heightened awareness:
- Minimize coverage gaps in personnel availability.
- Log in or request access to the Chemical Sector portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI) to receive, submit, and discuss timely, actionable information.
- Regularly consume relevant threat intelligence.
- Ensure your emergency call tree is up to date.
- Stay tuned for future updates to the NTAS status for indications of elevated or specific threats.
- Increase organizational vigilance:
- Ensure your security staff monitor key internal security capabilities and know how to identify anomalous behavior.
- Flag any known indicators of compromise and adversary tactics, techniques, and procedures for immediate response.
- Confirm reporting processes:
- Remind facility personnel how and when to report an incident and what to report.
- Report cybersecurity incidents to CISA to help serve as part of our early warning system.
- Exercise your incident response plan/crisis management plan:
- Review your CFATS Site Security Plan/Alternative Security Program (SSP/ASP) or facility security plan to ensure it is current and relevant to your operations.
- Conduct a quick tabletop exercise as a reminder of the key steps to follow during an incident.
Actions for Cyber Protection
- Backup all critical information, store backups offline, and test the ability to revert to backups during an incident.
- Risk Analysis:
- Conduct or review a cybersecurity risk analysis for business and operational systems, particularly any systems related to processes involving chemicals.
- Sign up for CISA cyber assessments such as cyber hygiene vulnerability scanning.
- Secure external access to critical cyber systems.
- Identify all unnecessary ports and protocols and disable them immediately.
- Identify and evaluate potential vulnerabilities and implement appropriate compensatory security controls.
- Restrict physical access to critical cyber assets and media to limited authorized users.
- Staff Training and Awareness:
- Conduct initial or refresher training for staff on cybersecurity best practices.
- Conduct phishing, social engineering, and malware exercises.
- Change any and all default passwords or implement physical controls for cyber systems where changing default passwords is not technically feasible.
- Encourage staff to update their passwords
- Vulnerability Scanning and Patching:
- Increase scans of networks and systems, and institute appropriate patching of known system vulnerabilities.
- Check CISA’s US-CERT website for potential threat traffic from suspected IP addresses or malicious activity.
- Update antivirus on critical cyber systems to include Industrial Control Systems.
- Monitor the critical networks in real-time for unauthorized or malicious access and alerts, and recognize and log events and incidents.
- Application Whitelisting:
- Conduct a review to ensure that only approved programs run on networks.
- Review account access controls to critical cyber systems utilizing the least privilege concept, confirming access control lists, and ensuring that accounts with access to critical/sensitive information or processes are modified, deleted, or deactivated immediately when personnel leave and/or when users no longer require access.
- Incident Response:
- Exercise incident response plans, to include an Industrial Control Systems Cybersecurity Incident Response Plan, if applicable.
- Business Continuity:
- Develop and test plans outlining how your facility will sustain business operations without access to certain systems.
Actions for Physical Protection
- Ensure you are aware of your chemicals and assets.
- Recognize other assets that may indirectly relate to, or impact, your chemicals of interest.
- Review available best practices documentation and DHS resources such as the Critical Infrastructure Security and Resilience Guide.
- Confirm your contacts within the community—including with local law enforcement and your local CISA Chemical Security Inspector—are up to date.
- Subscribe to NTAS Alerts and Bulletins.
- Plan and Train:
- Provide your employees with training resources and a security awareness refresher session.
- Conduct an exercise, such as a tabletop exercise, to practice your plans and procedures as soon as possible.
- "If You See Something, Say Something™" is more than just a slogan. Remind personnel to call local law enforcement if you notice suspicious activity in or near your facility’s entry/exit points, loading docks, parking areas, restricted areas, or immediate vicinity.
- Increase roving patrols around chemical inventories and restricted areas.
- Require escorts for non-facility personnel such as contractors and visitors, or temporarily disallow all non-facility personnel.
- Increase screening of all vehicles, personnel, and items entering and leaving the facility.
- Immediately conduct testing or maintenance on security systems, such as intrusion detection systems and cameras, to ensure they are fully functional and increase inspection frequency of security equipment, such as fencing, locks, etc.
- Maintain full-time lighting on outdoor critical assets and additional lighting for remote areas.
- Inventory and Process Controls:
- Increase cycle counts, formal inventories, and logs of chemicals of interest (e.g., weekly or daily).
- Verify shipment and receipt of chemicals by confirming origin of all orders and tracking delivery in real-time or pause all non-critical shipments.
- Ensure dedicated monitoring of all process controls.
- Secure keys, access cards, uniforms, badges, and delivery vehicles, and increase inventory checks of these items.
- Restrict access to critical assets and chemicals of interest to only essential personnel.
- Institute a two-person rule for access to critical assets.
- Add an additional layer of security to outdoor chemicals of interest using barriers (e.g., bollards) and vehicle access points to increase standoff distance.
- Reinforce barriers, fences, and entryways that lead to critical assets.
CISA has more than 150 Chemical Security Inspectors (CSI) around the country who are available to assist facilities possessing chemicals of interest, including non-tiered facilities. To request further information, please contact your local CSI. To find out who your local CSI is, please email the CFATS team the facility name, location, facility point of contact, contact information (i.e., phone and email), and desired meeting dates.
Increased Geopolitical Tensions and Threats
The Threat and How to Think About it
Increased geopolitical tensions and threats of aggression may result in cyber and physical attacks against the Homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad. Knowing how you, your organization, and your personnel may be exposed or targeted during increased tensions can help you better prepare. In many cases, implementing the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials can dramatically improve your defenses. Should an incident occur, engage with partners, like CISA, and work with cyber or physical first responders to gain technical assistance. Review your organization from an outside perspective and ask the tough questions—are you attractive to Iran and its proxies because of your business model, who your customers and competitors are, or what you stand for?
Iranian Threat Profile and Activity
Recent Iran-U.S. tensions have the potential for retaliatory aggression against the U.S. and its global interests. Iran has exercised increasingly sophisticated capabilities to suppress social and political perspectives deemed dangerous to its regime and to target regional and international adversaries. Iran and its proxies and sympathizers have a history of leveraging cyber and physical tactics to pursue national interests, both regionally and here in the United States, such as:
- Disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations, and an increased interest in industrial control systems and operational technology.
- Cyber-enabled espionage and intellectual property theft targeting a variety of industries and organizations to enable a better understanding of our strategic direction and policy-making.
- Disinformation campaigns promoting pro-Iranian narratives while pushing anti-U.S. sentiments.
- Improvised explosive devices (IEDs), which are a staple tactic of the Islamic Revolutionary Guard Corps (IRGC), its Quds Force (focused on external, global operations), and proxy entities such as Hizbollah.
- Attacks against U.S. citizens and interests abroad and similar attacks in the Homeland.
- Unmanned aircraft system (UAS) attacks against hardened and soft targets.
CISA strongly urges you to assess and strengthen your basic cyber and physical defenses to protect against this potential threat.
Things to do Today
- Prepare your organization for rapid response by adopting a state of heightened awareness — This ranges from reviewing your security and emergency preparedness plans, consuming relevant threat intelligence, minimizing coverage gaps in personnel availability, and making sure your emergency call tree is up to date.
- Increase organizational vigilance — Ensure your security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Assess your access control protocols. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures for immediate response.
- Confirm reporting processes — Ensure your personnel know how and when to report an incident. The well being of your workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting your cyber incidents to CISA as part of an early warning system.
- Exercise your incident response plan — Ensure your personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Make sure personnel are positioned to act in a measured, calm, and unified manner.
- Confirm offline backup — Ensure you have an offline backup
Actions for Cyber Protection
Ask the following questions about your organization to help mitigate cyber attacks:
- Backups: Do we back up all critical information? Are the backups stored offline? Have we tested our ability torevert to backups during an incident?
- Incident Response: Do we have an incident response plan and have we exercised it?
- Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
- Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
- Staff Training: Have we trained staff on cybersecurity best practices?
- Account Protections: Have we implemented multi-factor authentication and are we minimizing account privileges?
- Vulnerability Scanning and Patching: Have we implemented regular scans of our networks and systems? Do we have an automated patch management program?
- Network Traffic Monitoring: Are we monitoring the network traffic crossing the boundary of critical networks, including industrial control systems?
- Application Whitelisting: Do we allow only approved programs to run on our networks?
Actions for Physical Protection
Ask the following questions about your organization to help mitigate physical attacks:
- Connect: Do we have the right relationships in the community, including local law enforcement and your local Protective Security Advisor? Having these relationships established before an incident occurs can help speed up the response when something happens.
- Plan: Do we have a plan for how we will handle a security event, such as an active shooter or bomb-related incident? (You can find guidance and technical assistance at CISA.gov to inform your plans.)
- Train: Have we provided employees with training resources and exercises? Plans must be exercised to be effective.
- Report: Do we know who to call, including local law enforcement, if we notice suspicious activity in or near a facility’s entry/exit points, loading docks, parking areas, garages, and vicinity? "If You See Something, Say Something™" is more than just a slogan.
- Monitor and control: Do we know who is entering our workplace, including current employees, former employees, commercial delivery, and service personnel?
- Store, lock, and inventory: Do we effectively manage the organization’s keys, access cards, uniforms, badges, and vehicles?
CISA’s Role as the Nation’s Risk Advisor
In collaboration with industry and government partners, CISA helps organizations understand and counter the risk of nation-state and non-state actors’ malicious activity. CISA is providing recommendations to help partners stay vigilant and protected against potential cyber and physical threats.
The Threat and How to Think About It
Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike. And that’s only what we’re seeing – many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on. We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?).
CISA's Role as the Nation's Risk Advisor
Helping organizations protect themselves from ransomware attacks is a chief priority for the Cybersecurity and Infrastructure Security Agency (CISA). We have assisted many ransomware response and recovery efforts, building an understanding of how ransomware attacks unfold, and what potential steps you can take to better defend systems. But we also recognize that there’s no such thing as perfect cybersecurity and ransomware infections can still happen, so we’ve also developed recommendations to help organizations limit damage, and recover smartly and effectively.
Ransomware Mitigations to Help you Defend Today and Secure Tomorrow
The below recommendations lay out three sets of straightforward steps any organization can take to manage their risk. These recommendations are written broadly for all levels within an organization. It’s never as easy as it should be, so if you need help, we urge you to reach out for assistance – CISA is here to help, but so is the FBI, numerous private sector security firms, state authorities, and others.
Actions for - Make Sure You're Not Tomorrow's Headline:
- Backup your data, system images, and configurations and keep the backups offline
- Update and patch systems
- Make sure your security solutions are up to date
- Review and exercise your incident response plan
- Pay attention to ransomware events and apply lessons learned
Actions to Recover If Impacted - Don't Let a Bad Day Get Worse:
- Ask for help! Contact CISA, the FBI, or the Secret Service
- Work with an experienced advisor to help recover from a cyber attack
- Isolate the infected systems and phase your return to operations
- Review the connections of any business relationships (customers, partners, vendors) that touch your network
- Apply business impact assessment findings to prioritize recovery
Actions to Secure Your Environment Going Forward - Don't Let Yourself be an Easy Mark:
- Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multifactor authentication
- Segment your networks; make it hard for the bad guy to move around and infect multiple systems
- Develop containment strategies; if bad guys get in, make it hard for them to get stuff out
- Know your system’s baseline for recovery
- Review disaster recovery procedures and validate goals with executives
Please visit the CISA Resource Page on Ransomware for more information. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.
Mitigate DNS Infrastructure Tampering
- Review DNS Records
- Change DNS Account Passwords
- Add Multi-Factor Authentication to DNS Accounts
- Monitor Certificate Transparency Logs
In late 2018, cybersecurity organizations across the globe started to detect an increase in malicious activity targeting the Domain Name System (DNS) infrastructure on which we all rely. Using common tactics, outlined below, the attackers were able to redirect and intercept web and email traffic, and could have achieved the same for other networked services.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private sector owners of critical infrastructure, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Emergency Directive 19-01 – Mitigate DNS Infrastructure Tampering and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
How It Works
The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
The attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
Why It's Effective
Frequently, different domain and DNS records are owned and managed by different parts of an organization. This means that many organizations lack central visibility into all domains that belong to them or associated DNS records.
This decentralization of the DNS ecosystem and the organizational governance processes make it difficult to monitor and secure domains.
To address the significant risks to organizational information and information systems posed by DNS tampering, CISA directed federal civilian agencies to undertake the following series of near-term actions and encourages non-federal organizations to do the same:
Action 1: Review DNS records
For all organization owned/managed domains:
Review all public domain records with domain registrars to verify the associated NS records are delegated to intended DNS servers; and
Review all DNS records on all authoritative and secondary DNS servers to verify they resolve to their intended destination.
Any discovered discrepancies should be investigated immediately and treated as a potential security incident.
Action 2: Change DNS account passwords
Immediately update passwords for all accounts on systems that can make changes to your organization’s DNS records, including accounts on organization-managed DNS server software, systems that manage that software, third-party DNS operators’ administration panels, and DNS registrar accounts.
Action 3: Add multi-factor authentication to DNS accounts
Implement and enforce multi-factor authentication (MFA) for all accounts on systems that can make changes to your organization’s DNS records including accounts on organization-managed DNS server software, systems that manage that software, third-party DNS operators’ administration panels, and DNS registrar accounts.
If MFA is not supported for records hosted by third party providers, CISA strongly encourages organizations to consider migrating to providers that support strong access controls and MFA.
If MFA is not supported on legacy system hosted by organizations internally, compensating controls can be introduced to temporarily harden access controls (e.g. require physical console access, disable remote access, limit remote access to management network only, etc.).
Action 4: Monitor certificate transparency logs
Monitor Certificate Transparency (CT) log data for newly added certificates issued to organization-owned domains that have not been authorized/requested by the organization.
Scope of Recommendations
The focus of these recommendations is on external/public/internet facing domain and DNS records. The recommendations are not concerned with internal infrastructure.
The scope of these recommendations transcends DNS infrastructure itself and requires a comprehensive approach that includes associated services. To capture this scope, CISA uses the term DNS ecosystem to include: root zones, top level domain registries, domain registrars, domain registrants, and authoritative DNS servers. Disparate organizational units may be responsible for managing these services and successful outcomes depend on their close coordination.
Lessons Learned and Additional Considerations
Many organizations lack a DNS-specific policy to guide DNS-related activities at the operational level that specify security protocols and activities related to the protection of the DNS ecosystem. Even basic steps that can be taken to maintain awareness of DNS infrastructure, such as the documentation of a domain inventory, are not consistently or effectively acted upon across organizations.
Organizations need better top-level control of the acquisition, management, and reporting of domains (e.g. preventing anyone with a corporate purchase card from registering a domain). To successfully protect their infrastructure from DNS tampering, it is critical that organizations have accurate and up-to-date inventories of all domain names that are owned or operated on their behalf.
Without a clear understanding of an organization’s environment, it is not only difficult to identify anomalies, risks, and misconfigurations but it is impossible to defend against what one does not know.
Performing historical analysis of past record changes (passive DNS) may be prudent, but it will not stop current hijacking from occurring, it may only indicate whether a hijack has occurred in the past.
Certificate Transparency logs record all SSL certificates issued by publicly trusted certificate authorities. While those certificates are not directly issued for DNS services, logs can alert you that an unauthorized certificate was issued for a domain you manage. To take full advantage of CT log monitoring, organizations must 1) have a comprehensive inventory of domains they manage, and 2) the ability to confirm that a certificate request was actually authorized by your organization.
In large organizations with multiple operating divisions, the process of obtaining a certificate may not be centrally managed, and a single entity may not be aware that a given certificate was requested.
To monitor CT logs, organizations may use various free or commercial CT monitoring services.
From a federal perspective, gaining central visibility into all domains owned by an organization proved to be the most labor intensive and challenging process. Organizations with a strong grasp on all domain related records and/or central visibility had to invest significantly less effort to meet the same requirements. A coordinated effort by all organizational units throughout the enterprise is essential for a successful outcome.
Organizations with a large number of domain names and domain name records may want to prioritize domain names and records associated with key services offered to organizational users (for example, websites that are central to the organization’s mission, MX records, or other services with high utilization).
Helpful Links and Reference Materials
CISA Current Activity: DNS Infrastructure Hijacking Campaign: https://www.us-cert.gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign
Sources of Certificate Transparency (CT) logs (and passive DNS records):
Auditing DNS records and Certificate Transparency (CT) logs using Splunk: https://www.splunk.com/blog/2019/01/25/cisa-emergency-directive-19-01-doing-things-the-easy-way-in-splunk.html
For guidance on MFA, organizations should consult National Institute of Standards and Technology (NIST) Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management: https://csrc.nist.gov/publications/detail/sp/800-63b/final
When utilizing MFA, organizations should consider using additional factors that are resilient to phishing. Consistent with NIST SP 800-63B, Short Message Service (SMS)-based MFA is not recommended.
Remediate Vulnerabilities for Internet-Accessible Systems
- Ensure your vulnerability scanning service is scanning all Internet-accessible IP addresses
- Notify the scanning service of any modifications to your organization's Internet-accessible IPs
- Ensure the scanning service provides at least weekly scanning results
- Coordinate with system owners to remediate vulnerabilities
Adversaries operating in cyberspace can make quick work of unpatched Internet-accessible systems. Moreover, the time between an adversary’s discovery of a vulnerability and their exploitation of it (i.e., the ‘time to exploit’) is rapidly decreasing. Industry reports estimate that adversaries are now able to exploit a vulnerability within 15 days (on average) of discovery. After gaining entry into information systems and networks, these adversaries can cause significant harm.
Internet-accessible information systems include any system that is globally accessible over the public internet (i.e., has a publicly routed internet protocol (IP) address or a hostname that resolves publicly in DNS to such an address) and encompass those systems directly managed by an organization, as well as those operated by a third-party on an organization’s behalf. As organizations continue to expand their Internet presence through increased use and operation of interconnected and complex Internet accessible systems, it is more critical than ever to rapidly remediate vulnerabilities inherent to these systems. Failure to do so could allow malicious actors to compromise networks through exploitable, externally-facing systems.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private sector owners of critical infrastructure, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Binding Operational Directive 19-02 – Vulnerability Remediation Requirements for Internet-Accessible Systems and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
To ensure effective and timely remediation of vulnerabilities identified through vulnerability scanning, organizations should undertake the following actions:
Action 1: Ensure your vulnerability scanning service is scanning all Internet-accessible IP addresses
Create and maintain an asset inventory of all such IPs belonging to your organization.
Action 2: Notify the scanning service of any modifications to your organization's Internet accessible IPs
This includes newly acquired IPs or re-assigned IPs that are no longer part of your organization's asset inventory.
Action 3: Ensure the scanning service provides at least weekly scanning results
Action 4: Coordinate with system owners to remediate vulnerabilities
CISA recommends the following remediation timelines:
Critical vulnerabilities should be remediated within 15 calendar days of initial detection.
High vulnerabilities should be remediated within 30 calendar days of initial detection.
If vulnerabilities cannot be remediated within the recommended timeframes, develop a remediation plan for action and coordination across the organization. The remediation plan should include
Vulnerability remediation constraints
Interim mitigation actions to overcome constraints
Final actions required to remediate vulnerability
Lessons Learned and Additional Considerations
- The decentralization of organizations and their governance processes makes it difficult to coordinate the remediation of vulnerabilities. Network owners should be aware of who is operating their respective networks, if not done in-house.
- Without a clear understanding of an organization’s internet-accessible footprint, it is not only difficult to identify anomalies, risks, and misconfigurations but also it is impossible to defend against what one does not know.
- Many organizations lack robust patch and configuration management policies and procedures to guide the coordination of vulnerability management-related activities at an operational level.
- Historically, most vulnerabilities identified by CISA are related to unsupported operating systems that cannot receive patched or upgraded (secure) software. This is largely due to the prevalence of legacy systems across all industries and sectors, some of which perform mission critical functions. The continued presence of end-of-life (EOL) systems is mostly due to the budgetary constraints inherent in replacing large amounts of EOL systems, often at the reduced funding levels of sub-organizations.
Establishing a coordination POC can help ensure the streamlined dissemination of vulnerability information to all sub-organizations. A coordination POC can also help resolve false positive claims and unnecessary remediation actions.
CISA’s process for resolving false positives includes:
Submit an email to your organization’s coordination POC with analysis and supporting evidence for determination (for example, a screenshot of the IP address and operating system). CISA also utilizes a False Positive Assertion form for system owners to fill-out and submit to the coordination POC.
The coordination POC facilitates review of the evidence and analysis to validate the assertion. This does not include exploiting a vulnerability, but may include actively sending packets to the host in question. If the analysis confirms the assertion, the vulnerability is marked as a false positive.
False positive status expires 365 days after designation and personnel are required to re-submit evidence on an annual basis to confirm the vulnerability remains a false positive.
Manage and prioritize cybersecurity risk appropriately within your environment. The nuances of each organization’s environmental risk factors and mitigating controls is different. Prioritize certain vulnerabilities and devices over others in line with your organization’s existing security baselines.
Apply additional parameters, rules, and internal policy decision points as necessary, which may affect the acceptable timeframes to remediate specific types of vulnerabilities or vulnerabilities affecting certain types of devices. For example, organizations should consider the impact the exploitation of a vulnerability may have if an Internet-accessible IP is associated with a High Value Asset (HVA) or Mission Essential System (MES). Likewise, organizations should consider how many assets are affected by a specific vulnerability type and how long vulnerabilities have existed.
Continuously analyze threat information, vulnerability information, and engage sub-organizations to further prioritize actions which may go beyond the defined scores to indicate ‘critical of critical’ vulnerabilities. In these instances, provide alerts to sub-organizations to ensure adequate steps are being taken across the organization.
Not every vulnerability will require immediate action, nor is it prudent to apply patches without first analyzing and testing to minimize disruption to network operations. In these cases, organizations should clearly articulate the rationale for not remediating the vulnerability to the group coordinating organization-wide vulnerability management.
Where patching is not possible due to certain limitations, network segregation is highly recommended to limit exposure of the vulnerable system or host.
Vulnerability Scanning Considerations
Ensure a service agreement is established and signed between your organization the scanning service provider to outline the scope and parameters of scanning.
Include all in-scope IPs from all aspects of the organization (i.e., sub-organizations) in the IP asset inventory to ensure scanning and vulnerability identification across the organization. If ports aren’t normally open to the general public (e.g. only certain whitelisted IPs can connect), you should still ensure the IP is included in the scanning scope so the scanning service can act as a double-check on that rule for you.
Ensure scanning access by removing the service’s source IP addresses from block lists. This allows your organization to properly triage and respond to alerts generated by your Security Information and Event Management (SIEM). These addresses may change without prior notice, so CISA recommends regular monitoring of any provided source IP list.
Ensure Internet Service Providers (ISPs), Cloud Service Providers (CSPs), and other shared service providers are aware of your organization’s requirements for remediating internet-accessible vulnerabilities. Ensure service providers are meeting or exceeding remediation requirements.
Do not grant preferential treatment (e.g. explicitly whitelisting or opening any ports/services other than what is normally available for your systems) for the scanning. This allows the scanning service to find and report on vulnerabilities from a perspective similar to that of an attacker. However, scanning services are focused on identifying exposed vulnerabilities prior to their exploitation, and due to timing and urgency considerations, they usually make no attempt at stealth, which may sometimes trigger technical controls that an attacker, using more conservative tactics, might not. Should this occur, remove network blocks and let the scanning service know that their scans were blocked as well as that you have corrected it so they can jumpstart scanning on the particular IPs again, if necessary.
Include internet-accessible applications in your scanning scope even if only available to your organization. The scope should include all of your static, public IP addresses that are managed by or on behalf of your organization. Do not include private IPs from systems accessible only through your organization’s intranet.
CISA offers a no-cost service comprising vulnerability scanning of static IPv4 IP addresses to identify vulnerabilities on Internet-accessible systems. SLTT governments and private entities should consider taking advantage of this service in addition to periodic tests conducted by network administrators.
Non-federal organizations can opt to participate in the CISA vulnerability scanning program by sending a request to email@example.com.
Establishing a vulnerability coordination POC and aligning resources to address identified vulnerabilities detected on Internet-accessible systems is only the beginning and most inexpensive aspect of vulnerability management.
The next step is implementing a vulnerability and configuration management program to enforce consistent patch management across all hosts within the network environment. This should start with those systems that have critical or prioritized vulnerabilities discovered in the vulnerability scan. When possible, remove end-of-life products from the network.
Helpful Links and Reference Materials
CISA Binding Operational Directive 19-02 – Vulnerability Remediation Requirements for Internet-Accessible Systems and FAQ: https://cyber.dhs.gov/bod/19-02/
CISA Blog Post on BOD 19-02: https://www.cisa.gov/cisa/blog/2019/04/29/cisa-releases-binding-operational-directive-new-requirements-remediating
For guidance on Enterprise Patch Management Technologies, organizations should consult National Institute of Standards and Technologies (NIST) Special Publication 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies: https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
Secure High Value Assets (HVAs)
- Establish an organization-wide HVA governance program
- Identify and prioritize HVA information systems
- Consider the interconnectivity and dependencies of HVA systems when determining which systems are HVAs
- Develop a methodology for prioritizing HVAs based on criticality and mission importance
- Develop an assessment approach based on HVA prioritization
- Ensure timely remediation of identified vulnerabilities
A High Value Asset (HVA) is information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business. These assets, systems, and datasets may contain sensitive controls, instructions or data used in critical operations, or they may house unique collections of data. These sensitivities make HVAs of particular interest to criminal, politically-motivated, or state-sponsored actors for either direct exploitation of the data or to cause a loss of confidence by the public.
To counter dynamic threats to the security and resilience of HVAs, it is essential that organizations take a more comprehensive view of the risk they pose and the information and information systems they target.
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private sector owners of critical infrastructure, to use this guide to learn more about the threat to HVAs and associated mitigation activities. This guidance is derived from Binding Operational Directive 18-02 – Securing High Value Assets and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
To address the significant risks to HVAs, CISA directed federal civilian agencies to undertake the following series of actions and encourages non-federal organizations to do the same. These recommendations address the identification, categorization, and prioritization of HVAs. They focus on an assessment approach to identify and prioritize risks and weaknesses for timely mitigation and architectural enhancements based on the assessment results.
Action 1: Establish an organization-wide HVA governance program
Organizations should take a strategic, enterprise-wide view of cyber risk that unifies the effort to protect HVAs against evolving cyber threats. Organizations should establish an office, team, or other governance structure to enable the incorporation of HVA activities (e.g., assessment, remediation, incident response) into broader planning activities for information system security and privacy management, such as Enterprise Risk Management and Contingency Planning.
Action 2: Identify and prioritize high value asset information systems
The following categories are useful in identifying HVAs. Organizations can determine what information systems they have that fall into one or both of these categories.
Information Value - the data the system processes, stores, or transmits is of high value to the organization and/or adversaries; and
Mission Essential - the owning organization cannot accomplish its mission essential functions within the expected timeliness without this information system.
Action 3: Consider the interconnectivity and dependencies of HVA systems when determining which systems are HVAs
For example, if the authentication solution for an HVA is the organization’s centralized Active Directory solution then the Active Directory solution may also be considered an HVA due to critical dependency.
Consider dependent and interdependent systems that can impact the operations of an HVA and its ability to perform a mission.
Protect the dependent and interdependent systems at the same level as the primary systems.
Action 4: Develop a methodology for prioritizing HVAs based on criticality and mission importance
A prioritized HVA list can be used by the organization to prioritize monitoring, assessment, and contingency actions across the organization’s operational functions.
Identify and prioritize the HVAs so that everyone in the organization understands the most important systems.
Ensure that the most important systems receive the highest priority of support, funding, and operations to keep the mission going.
Action 5: Develop an assessment approach based on HVA prioritization
Organizations should develop an assessment approach for their HVAs based on the prioritization. For example, an independent third-party contractor assesses the top 50% of the systems and the bottom 50% of the systems are self-assessed by internal staff. Organizations should determine the best approach for assessments based on their risk management appetite/tolerance.
This should include implementing an HVA organizational risk assessment where all HVA systems receive assessments at least once every three years based on risk.
Performing regular information security checks against these HVAs is critical in ensuring that the systems and information are protected at the appropriate levels commensurate with risk.
Action 6: Ensure timely remediation of identified vulnerabilities
Organizations should make efforts to remediate any assessment risks/weaknesses within 30 days.
If remediation cannot be completed within 30 days, a detailed remediation plan should be developed and tracked to completion.
Helpful Links and Reference Materials
CISA Binding Operational Directive 18-02 - Securing High Value Assets: https://cyber.dhs.gov/bod/18-02/
CISA Binding Operational Directive 16-01 - Securing High Value Assets (Revoked): https://cyber.dhs.gov/bod/16-01/
DHS, Securing High Value Assets: https://www.cisa.gov/sites/default/files/publications/Securing%20High%20Value%20Assets_Version%201.1_July%202018_508c.pdf
DHS, High Value Asset Control Overlay: https://www.cisa.gov/sites/default/files/publications/HVA%20Control%20Overlay%20v1.0_0_0.pdf
The Office of Management and Budget (OMB), Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf
The Office of Management and Budget (OMB), Managing Information as a Strategic Resource: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf
Enhance Email and Web Security
- Adopt a minimum DMARC policy of "p=none"
- Implement HTTPS with HSTS across all external-facing domains
- Disable weak encryption standards for web and email
- Maintain ongoing visibility of DMARC findings and reports
Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) protocol remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email. At the same time, users transmitting data via unencrypted HTTP protocol, which does not protect data from interception or alteration, are vulnerable to eavesdropping, tracking, and the modification of the data itself.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private entities, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Binding Operational Directive 18-01 – Enhance Email and Web Security and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
How It Works
An attacker spoofs the domain of a reputable organization, and sends an email that looks to be a legitimate email.
Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.
Why It's Effective
Other organizations or members of the public might receive spoofed emails, perceive them to be from an authoritative source, and act on them.
Internal employees may assume spoofed emails are legitimate and act upon them.
If an attacker is successfully spoofing a domain in order to send malicious emails from it, this can significantly harm the affected organization’s reputation.
Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about the users of unencrypted websites and services.
Near-Term Recommended Actions
To address the significant risks to organizational information and information systems posed by phishing emails and use of the unencrypted HTTP protocol, CISA directed federal civilian agencies to undertake the following series of near-term actions and encourages non-federal organizations to do the same:
Actions to Mitigate Phishing Email Attacks
When enabled by a receiving mail server, STARTTLS signals to a sending mail server that the capability to encrypt an email in transit is present. While it does not force the use of encryption, enabling STARTTLS makes passive man-in-the-middle attacks more difficult.
SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) allow a sending domain to effectively “watermark” their emails, making unauthorized emails (e.g., spam, phishing email) easy to detect. When an email is received that doesn’t pass an organization’s posted SPF/DKIM rules, DMARC (Domain-based Message Authentication, Reporting & Conformance) tells a recipient what the domain owner would like done with the message.
Setting a DMARC policy of “reject” provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, DMARC reports provide a mechanism for an organization to be made aware of the source of an apparent forgery, information that they wouldn’t normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.
Actions to Enhance Web Security
Hypertext Transfer Protocol (HTTP) connections can be easily monitored, modified, and impersonated; HTTPS remedies each vulnerability. HTTP Strict Transport Security (HSTS) ensures that browsers always use an https:// connection, and removes the ability for users to click through certificate-related warnings.
Organizations should consider progress on HTTPS and HSTS deployment, such as removing support for known-weak cryptographic protocols and ciphers.
According to CISA vulnerability scanning data, 7 of the 10 most common vulnerabilities seen across observed networks at the time of issuance of Binding Operational Directive 18-01 would be addressed through implementing the recommended actions in this ACR related to web security.
Where to Get Started
Recommendations for enhancing email security:
Configure all internet-facing mail servers to offer STARTTLS, and all second-level organization domains to have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports.
Ensure that Secure Sockets Layer (SSL) v2 and SSLv3 are disabled on mail servers, and 3DES and RC4 ciphers are disabled on mail servers.
Ensure that organizations add the centralized body location as a recipient of DMARC aggregate reports.
Set a DMARC policy of “reject” for all second-level domains and mail-sending hosts.
Recommendations for enhancing web security:
Ensure that all publicly accessible websites and web services provide service through a secure connection (HTTPS-only, with HSTS), SSLv2 and SSLv3 are disabled on web servers, and 3DES and RC4 ciphers are disabled on web servers.
Identify and provide a list of second-level domains that can be HSTS preloaded, for which HTTPS will be enforced for all subdomains to the centralized body charged with managing these recommendations.
Consider drafting a report to the leadership of the centralized body charged with managing these recommendations on the status of implementation.
Collect feedback and input from partner equities before release to avoid vendor constraints during implementation.
Ensure validating authority and its mechanisms are sound and in place before release to track compliance to successful implementation.
Send all sub-organizations a weekly scorecard to drive competition amongst the participants.
Ongoing Recommended Actions
Perform extensive outreach and support for technical as well as implementation questions.
Host implementation events and technical exchanges to provide additional guidance on implementation.
Send out scorecards weekly to leadership for awareness and to motivate improvement.
Develop public-facing website to provide guidance and FAQs.
Identify non-compliance for follow-on conversations.
Develop a central reporting location for all DMARC reports, and provide analysis to all equities.
Lessons Learned and Additional Considerations
Due to a general misunderstanding about how DMARC works, and the potential fear of “missing” emails, the centralized body charged with managing the recommendations should create guidance to share with non-technical staff.
Many organizations do not understand the need to protect non-sending email domains with DMARC. DMARC adoption helps organizations better understand email use and categorize mail sending domains.
Organizations need higher-level governance to guide their actions concerning these standards. Future changes in an environment could result in increased vulnerability.
Organizations should be cautious when entering records on DNS as it is sensitive to errors.
While the goal is to reach 100% adoption of mitigation best practices, an organization’s environment can fluctuate, causing unevenness in maturity. Adoption progress tends to ‘mature’ at the 90-95% mark, on average.
The challenges around “indirect email flows,” where email is sent via intermediaries (mailing lists, account forwarding) is recognized as an issue and discussed further in the references below.
There is a significant vendor constraint in disabling 3DES in mail environments.
Microsoft has stated that they will begin disabling in July 2019.
Google has launched MTA-STS as a solution.
Be aware of potential issues with scanning sites that require authentication.
Have a firm understanding of inventory/environment before release.
Establish internal success metrics before release.
Entities with consolidated IT organizations are more efficient at implementation.
Many organizations, particularly smaller ones, may lack DMARC expertise and require support in order to implement DMARC.
Reading and understanding DMARC reports is extremely difficult without a tool.
Implementing the actions recommended in this guide may result in budgetary and/or contractual/vendor implications.
Helpful Links and Reference Materials
CISA Binding Operational Directive 18-01 - Enhance Email and Web Security and FAQ: https://cyber.dhs.gov/bod/18-01/
UK National Cyber Security Centre (NCSC) MailCheck GitHub Repository: https://github.com/ukncsc/mail-check
ElasticMARC - DMARC Aggregate Report Digest and Analysis for Windows Utilizing the Elastic Stack GitHub Repository: https://github.com/wwalker0307/ElasticMARC
Dmarcian XML to Human Converter: https://dmarcian.com/xml-to-human-converter/
Global Cyber Alliance – Benefits of Email Authentication and DMARC TXT Records: https://dmarc.globalcyberalliance.org; https://dmarc.globalcyberalliance.org/resource/dmarc-txt-records-what-we-discovered/
Authenticated Received Chain (ARC) Mail Forwarding Guidance: http://arc-spec.org/
For further guidance, organizations should consult National Institute of Standards and Technology (NIST) Special Publication 800-177 Trustworthy Email: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177.pdf