top of page

Secure by Design and the RSA Conference

Updated: Jul 23

Cybersecurity and Infrastructure Security Agency took advantage of the RSA Conference to advance Secure by Design practices for increasing software security. Over sixty-eight software manufacturers signed on as participating members with seven goals such as increased multifactor authentication, decreasing default passwords and making it easier for customers to identify evidence of intrusions within their products.

MULTI-FACTOR AUTHENTICATION MFA

MFA adds another level of security that makes it harder for hackers to gain entry. Furthermore, using MFA protects high value user accounts that could cause serious consequences in real world scenarios such as bank accounts being drained or an SLA breach resulting in fines from failing to meet customer expectations.

MFA factors used can vary, and may include knowledge (passwords or PINs, security questions and answers (which has become less popular due to online trawling of social media profiles), possession (one-time passcodes sent via SMS or hardware tokens which require physical presence at an access point), behavioral authentication factors like pattern recognition or behavioral analytics based on abnormal login patterns as well as behavioral authentication measures that detect abnormalities during login attempts.

Adaptive MFA leverages contextual clues such as location, time of day, device and habits of its users to verify identity. This makes the system less intrusive for mobile workers while increasing security compared to traditional MFA methods that require users to remember or write down passwords or be near physical devices to receive SMS codes.

DEFAULT PASSWORDS

Default passwords on many devices pose a significant security threat for businesses. Attackers could leverage them to gain entry and gain unauthorized access to networks or data stored therein.

Criminals take advantage of default credentials by targeting and exploiting vulnerable systems to launch attacks against an organization and/or its employees, making password management one of the top security challenges faced by organizations today. As a result, organizations must manage password security with extreme care if they want to maintain effective protections against threats such as identity theft.

Security best practice guidelines (like Cyber Essentials, PCI DSS and UK Gov ITHC ) include changing default passwords as an essential activity in their security best practices guidelines. Furthermore, these passwords are frequently listed online databases where attackers use them to target vulnerable products and exploit vulnerabilities.

CISA's Secure by Design pledge aims to address this problem by galvanizing action from some of the largest technology manufacturers worldwide. They have agreed within one year to meet seven specific goals that include multi-factor authentication, eliminating default passwords, reducing entire classes of vulnerabilities, security patches, vulnerability disclosure policies, and providing evidence of intrusions.

REDUCING ENTIRE CLASSES OF VULNERABILITY

At the RSA Conference event, CISA promoted its Secure by Design Pledge to encourage technology manufacturers to incorporate security measures during product design and lifecycles. While not legally binding, this pledge requires participating manufacturers to work towards each goal and demonstrate progress within one year after signing.

Zabierek believes implementing basic security practices will allow vendors to regain time that would have otherwise been spent fixing vulnerabilities or taking systems offline, while helping them distinguish themselves in a market where both government agencies and consumers increasingly demand secure-by-design principles in purchasing decisions.

Still, no guarantee can be given that this effort will bear fruit. "Most people need convincing that building cybersecurity into products is good not only for security but common sense as well," according to Ellis. In the meantime, "we may see some failures but hopefully also successes along the way," according to Touhill.

SECURITY PATCHES

Secure by Design (SBD) seeks to shift security responsibilities away from individual users and small businesses not engaged in software development or cybersecurity, to large technology manufacturers who can take an active part in building security into their products. But implementation is often challenging: as demonstrated by ReversingLabs Blog post about "Security by Inertia", an issue many organizations experience when trying to move toward SBD practices.

Sixty-eight large software manufacturers, such as Amazon Web Services, BlackBerry, Cisco, Hewlett Packard Enterprise, IBM, Google, Microsoft and Lenovo, have signed the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge to design technology with stronger built-in security. Signatories agree to make measurable progress toward seven goals including increasing product multifactor authentication usage rates, decreasing default password lengths and class of vulnerabilities being addressed, security patches being distributed as patches on time with vulnerability disclosure policies in place and evidence of intrusions detected.

Security patches are fixes designed to address specific holes or vulnerabilities in applications, systems, or networks. In order to keep up with security patch updates efficiently and ensure their timely deployment, IT teams should set up alerts, deploy and test new security patches quickly, as well as create policies to manage this process and effectively roll out vulnerabilities efficiently.

VULNERABILITY DISCLOSURE POLICY

Establishing security measures at an early stage can save organizations significant sums. Implementation also simplifies compliance requirements and can limit damage from data breaches; by mitigating their effects, companies can focus on recovery instead of dealing with negative press surrounding such incidents.

CISA has taken steps to encourage industry participation in an initiative called the Voluntary Security Flaw Disclosure Pledge that may change that. Under this pledge, tech manufacturers are required to publish a vulnerability disclosure policy with clear guidelines for researchers as well as assurances that legal actions against them won't occur.

It must also specify that the company will work collaboratively with researchers to resolve issues quickly, retain information relevant to researchers such as contact details and retain any necessary material for researchers' investigations, as well as explain any unavailability in response times; furthermore, any policy must apply equally to internet-accessible products and services as well as non-internet accessible ones like private information systems and physical products.

CVES

CISA, or Cybersecurity and Infrastructure Security Agency, aims to increase software security by having manufacturers design products with security as an integral component. At the RSA Conference this week, they unveiled their Secure by Design Pledge; already 68 tech companies including Big Tech giants such as Microsoft, Google and Amazon Web Services have pledged their participation and made commitments toward meeting seven goals set out by CISA.

The first goal calls on pledge signatories to publish a blog explaining how they plan to reduce specific classes of vulnerabilities within one year, along with measures taken to measurably increase customer installation of security patches and decrease memory safety bugs which hackers exploit for data exploitation.

Claroty's Geyer believes these goals are worthy of pursuit and although this pledge is voluntary, he hopes it will refocus conversations about basic security principles and make tech buyers consider why their vendor didn't voluntarily sign.

EVIDENCE OF INTRUSIONS

Lenovo was one of 68 tech companies who signed the Cybersecurity Infrastructure and Security Agency's (CISA) Secure by Design pledge, which encourages organizations to design technology with security features built in from the outset. Although not legally binding, signing this pledge does require signatories to set publicly measurable goals across seven core focus areas including multi-factor authentication, default passwords, reducing vulnerability classes altogether, security patches, vulnerability disclosure policies, CVE's, as well as evidence of intrusions.

Reducing CVEs requires manufacturers to work toward significantly decreasing certain classes of vulnerabilities such as SQL injection and memory safety flaws. When they achieve their goal, they'll publish their roadmap on how they're doing this - this may lead to an increase in CVEs because some classes take longer to fix than others but that is still acceptable.

CISA director Jen Easterly explained that these pledges aim to shift security responsibilities away from end users who don't specialize in tech development or cybersecurity, onto technology manufacturers who can create better software. Although this move is an essential one, analysts noted that it may not stop all attacks.

3 views0 comments

Comments


bottom of page